diff options
| author | Ryan Bigg <radarlistener@gmail.com> | 2008-10-01 21:38:16 +0930 |
|---|---|---|
| committer | Ryan Bigg <radarlistener@gmail.com> | 2008-10-01 21:38:16 +0930 |
| commit | dbbd757edd896947e33fdf18ba870b8df5974d62 (patch) | |
| tree | cc0428bee430a18200925acb830f3dc3946e31de /actionpack/lib/action_controller | |
| parent | 6aca4458e3a1712a4a675ee7bf2cd35701ff75c9 (diff) | |
| parent | 8292c7dfce4b893588860053e50ef60ae9a0609a (diff) | |
| download | rails-dbbd757edd896947e33fdf18ba870b8df5974d62.tar.gz rails-dbbd757edd896947e33fdf18ba870b8df5974d62.tar.bz2 rails-dbbd757edd896947e33fdf18ba870b8df5974d62.zip | |
Merge branch 'master' of git@github.com:lifo/docrails
Diffstat (limited to 'actionpack/lib/action_controller')
6 files changed, 13 insertions, 26 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index fe168788e2..91f531f12c 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -252,7 +252,7 @@ module ActionController #:nodoc: # # def do_something # redirect_to(:action => "elsewhere") and return if monkeys.nil? - # render :action => "overthere" # won't be called unless monkeys is nil + # render :action => "overthere" # won't be called if monkeys is nil # end # class Base diff --git a/actionpack/lib/action_controller/cgi_ext/session.rb b/actionpack/lib/action_controller/cgi_ext/session.rb index a01f17f9ce..d3f85e3705 100644 --- a/actionpack/lib/action_controller/cgi_ext/session.rb +++ b/actionpack/lib/action_controller/cgi_ext/session.rb @@ -6,28 +6,8 @@ class CGI #:nodoc: # * Expose the CGI instance to session stores. # * Don't require 'digest/md5' whenever a new session id is generated. class Session #:nodoc: - begin - require 'securerandom' - - # Generate a 32-character unique id using SecureRandom. - # This is used to generate session ids but may be reused elsewhere. - def self.generate_unique_id(constant = nil) - SecureRandom.hex(16) - end - rescue LoadError - # Generate an 32-character unique id based on a hash of the current time, - # a random number, the process id, and a constant string. This is used - # to generate session ids but may be reused elsewhere. - def self.generate_unique_id(constant = 'foobar') - md5 = Digest::MD5.new - now = Time.now - md5 << now.to_s - md5 << String(now.usec) - md5 << String(rand(0)) - md5 << String($$) - md5 << constant - md5.hexdigest - end + def self.generate_unique_id(constant = nil) + ActiveSupport::SecureRandom.hex(16) end # Make the CGI instance available to session stores. diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb index d381af1b84..fabacd9b83 100644 --- a/actionpack/lib/action_controller/cgi_process.rb +++ b/actionpack/lib/action_controller/cgi_process.rb @@ -42,7 +42,8 @@ module ActionController #:nodoc: :prefix => "ruby_sess.", # prefix session file names :session_path => "/", # available to all paths in app :session_key => "_session_id", - :cookie_only => true + :cookie_only => true, + :session_http_only=> true } def initialize(cgi, session_options = {}) diff --git a/actionpack/lib/action_controller/rack_process.rb b/actionpack/lib/action_controller/rack_process.rb index 1ace16da07..e8ea3704a8 100644 --- a/actionpack/lib/action_controller/rack_process.rb +++ b/actionpack/lib/action_controller/rack_process.rb @@ -14,7 +14,8 @@ module ActionController #:nodoc: :prefix => "ruby_sess.", # prefix session file names :session_path => "/", # available to all paths in app :session_key => "_session_id", - :cookie_only => true + :cookie_only => true, + :session_http_only=> true } def initialize(env, session_options = DEFAULT_SESSION_OPTIONS) diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 5bf7503f04..f2fb200950 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -70,7 +70,8 @@ class CGI::Session::CookieStore 'path' => options['session_path'], 'domain' => options['session_domain'], 'expires' => options['session_expires'], - 'secure' => options['session_secure'] + 'secure' => options['session_secure'], + 'http_only' => options['session_http_only'] } # Set no_hidden and no_cookies since the session id is unused and we diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb index f5a1155a46..fd3d94ed97 100644 --- a/actionpack/lib/action_controller/session_management.rb +++ b/actionpack/lib/action_controller/session_management.rb @@ -60,6 +60,10 @@ module ActionController #:nodoc: # # the session will only work over HTTPS, but only for the foo action # session :only => :foo, :session_secure => true # + # # the session by default uses HttpOnly sessions for security reasons. + # # this can be switched off. + # session :only => :foo, :session_http_only => false + # # # the session will only be disabled for 'foo', and only if it is # # requested as a web service # session :off, :only => :foo, |