mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Session cookie header should always be set if :expire_after option is specified
This commit is contained in:
parent
9714a9b001
commit
2ae8d3079b
3 changed files with 40 additions and 8 deletions
|
@ -102,8 +102,10 @@ module ActionController
|
||||||
response = @app.call(env)
|
response = @app.call(env)
|
||||||
|
|
||||||
session_data = env[ENV_SESSION_KEY]
|
session_data = env[ENV_SESSION_KEY]
|
||||||
if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?)
|
options = env[ENV_SESSION_OPTIONS_KEY]
|
||||||
options = env[ENV_SESSION_OPTIONS_KEY]
|
|
||||||
|
if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
|
||||||
|
session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
|
||||||
|
|
||||||
if session_data.is_a?(AbstractStore::SessionHash)
|
if session_data.is_a?(AbstractStore::SessionHash)
|
||||||
sid = session_data.id
|
sid = session_data.id
|
||||||
|
|
|
@ -93,12 +93,14 @@ module ActionController
|
||||||
status, headers, body = @app.call(env)
|
status, headers, body = @app.call(env)
|
||||||
|
|
||||||
session_data = env[ENV_SESSION_KEY]
|
session_data = env[ENV_SESSION_KEY]
|
||||||
if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?)
|
options = env[ENV_SESSION_OPTIONS_KEY]
|
||||||
|
|
||||||
|
if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
|
||||||
|
session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
|
||||||
session_data = marshal(session_data.to_hash)
|
session_data = marshal(session_data.to_hash)
|
||||||
|
|
||||||
raise CookieOverflow if session_data.size > MAX
|
raise CookieOverflow if session_data.size > MAX
|
||||||
|
|
||||||
options = env[ENV_SESSION_OPTIONS_KEY]
|
|
||||||
cookie = Hash.new
|
cookie = Hash.new
|
||||||
cookie[:value] = session_data
|
cookie[:value] = session_data
|
||||||
unless options[:expire_after].nil?
|
unless options[:expire_after].nil?
|
||||||
|
|
|
@ -6,13 +6,11 @@ class CookieStoreTest < ActionController::IntegrationTest
|
||||||
SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33'
|
SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33'
|
||||||
|
|
||||||
DispatcherApp = ActionController::Dispatcher.new
|
DispatcherApp = ActionController::Dispatcher.new
|
||||||
CookieStoreApp = ActionController::Session::CookieStore.new(DispatcherApp,
|
CookieStoreApp = ActionController::Session::CookieStore.new(DispatcherApp, :key => SessionKey, :secret => SessionSecret)
|
||||||
:key => SessionKey, :secret => SessionSecret)
|
|
||||||
|
|
||||||
Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1')
|
Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1')
|
||||||
|
|
||||||
SignedBar = "BAh7BjoIZm9vIghiYXI%3D--" +
|
SignedBar = "BAh7BjoIZm9vIghiYXI%3D--fef868465920f415f2c0652d6910d3af288a0367"
|
||||||
"fef868465920f415f2c0652d6910d3af288a0367"
|
|
||||||
|
|
||||||
class TestController < ActionController::Base
|
class TestController < ActionController::Base
|
||||||
def no_session_access
|
def no_session_access
|
||||||
|
@ -177,6 +175,36 @@ class CookieStoreTest < ActionController::IntegrationTest
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_session_store_with_expire_after
|
||||||
|
app = ActionController::Session::CookieStore.new(DispatcherApp, :key => SessionKey, :secret => SessionSecret, :expire_after => 5.hours)
|
||||||
|
@integration_session = open_session(app)
|
||||||
|
|
||||||
|
with_test_route_set do
|
||||||
|
# First request accesses the session
|
||||||
|
time = Time.local(2008, 4, 24)
|
||||||
|
Time.stubs(:now).returns(time)
|
||||||
|
expected_expiry = (time + 5.hours).gmtime.strftime("%a, %d-%b-%Y %H:%M:%S GMT")
|
||||||
|
|
||||||
|
cookies[SessionKey] = SignedBar
|
||||||
|
|
||||||
|
get '/set_session_value'
|
||||||
|
assert_response :success
|
||||||
|
|
||||||
|
cookie_body = response.body
|
||||||
|
assert_equal ["_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; httponly"], headers['Set-Cookie']
|
||||||
|
|
||||||
|
# Second request does not access the session
|
||||||
|
time = Time.local(2008, 4, 25)
|
||||||
|
Time.stubs(:now).returns(time)
|
||||||
|
expected_expiry = (time + 5.hours).gmtime.strftime("%a, %d-%b-%Y %H:%M:%S GMT")
|
||||||
|
|
||||||
|
get '/no_session_access'
|
||||||
|
assert_response :success
|
||||||
|
|
||||||
|
assert_equal ["_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; httponly"], headers['Set-Cookie']
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
def with_test_route_set
|
def with_test_route_set
|
||||||
with_routing do |set|
|
with_routing do |set|
|
||||||
|
|
Loading…
Reference in a new issue