kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity

Cookie session store: ensure that new sessions doesn't reuse data from a deleted session in the same request. 

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6424 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
This commit is contained in:
Jeremy Kemper 2007-03-14 11:33:10 +00:00
parent 1f02271048
commit bbcfb9b625
3 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
actionpack/CHANGELOG
View File

@ -1,5 +1,7 @@
*SVN*
* Cookie session store: ensure that new sessions doesn't reuse data from a deleted session in the same request. [Jeremy Kemper]
* Deprecation: verification with :redirect_to => :named_route shouldn't be deprecated. #7525 [Justin French]
* Cookie session store: raise ArgumentError when :session_key is blank. [Jeremy Kemper]

6
actionpack/lib/action_controller/session/cookie_store.rb
View File

@ -96,6 +96,7 @@ class CGI::Session::CookieStore
# Delete the session data by setting an expired cookie with no data.
def delete
@data = nil
clear_old_cookie_value
write_cookie('value' => '', 'expires' => 1.year.ago)
end
@ -134,4 +135,9 @@ class CGI::Session::CookieStore
cookie = CGI::Cookie.new(@cookie_options.merge(options))
@session.cgi.send :instance_variable_set, '@output_cookies', [cookie]
end
# Clear cookie value so subsequent new_session doesn't reload old data.
def clear_old_cookie_value
@session.cgi.cookies[@cookie_options['name']].clear
end
end

13
actionpack/test/controller/session/cookie_store_test.rb
View File

@ -135,6 +135,19 @@ class CookieStoreTest < Test::Unit::TestCase
end
end
def test_new_session_doesnt_reuse_deleted_cookie_data
set_cookie! cookie_value(:typical)
new_session do |session|
assert_not_nil session['user_id']
session.delete
# Start a new session using the same CGI instance.
post_delete_session = CGI::Session.new(session.cgi, self.class.default_session_options)
assert_nil post_delete_session['user_id']
end
end
private
def assert_no_cookies(session)
assert_nil session.cgi.output_cookies, session.cgi.output_cookies.inspect