Merge commit 'mainstream/master'

Conflicts: activerecord/lib/active_record/base.rb railties/Rakefile railties/doc/guides/activerecord/association_basics.txt railties/doc/guides/debugging/debugging_rails_applications.txt railties/doc/guides/getting_started_with_rails/getting_started_with_rails.txt railties/doc/guides/index.txt railties/doc/guides/migrations/foreign_keys.txt railties/doc/guides/migrations/migrations.txt railties/doc/guides/migrations/writing_a_migration.txt railties/doc/guides/routing/routing_outside_in.txt
author: Pratik Naik <pratiknaik@gmail.com> 2008-09-27 14:04:46 +0100
committer: Pratik Naik <pratiknaik@gmail.com> 2008-09-27 14:04:46 +0100
commit: fda846cf5ddf523b00a39c26591489794b5de568 (patch)
tree: 00d4860d53e5c861fd9b3f483f04ff0d2db19307 /actionpack/lib/action_controller
parent: df046298715b1927a832973c4c29955696fee02c (diff)
parent: ea609b265ffc30cac00bf09a262027f96964ed6f (diff)
download: rails-fda846cf5ddf523b00a39c26591489794b5de568.tar.gz
rails-fda846cf5ddf523b00a39c26591489794b5de568.tar.bz2
rails-fda846cf5ddf523b00a39c26591489794b5de568.zip
5 files changed, 12 insertions, 25 deletions
diff --git a/actionpack/lib/action_controller/cgi_ext/session.rb b/actionpack/lib/action_controller/cgi_ext/session.rb
index a01f17f9ce..d3f85e3705 100644
--- a/actionpack/lib/action_controller/cgi_ext/session.rb
+++ b/actionpack/lib/action_controller/cgi_ext/session.rb
@@ -6,28 +6,8 @@ class CGI #:nodoc:
   # * Expose the CGI instance to session stores.
   # * Don't require 'digest/md5' whenever a new session id is generated.
   class Session #:nodoc:
-    begin
-      require 'securerandom'
-
-      # Generate a 32-character unique id using SecureRandom.
-      # This is used to generate session ids but may be reused elsewhere.
-      def self.generate_unique_id(constant = nil)
-        SecureRandom.hex(16)
-      end
-    rescue LoadError
-      # Generate an 32-character unique id based on a hash of the current time,
-      # a random number, the process id, and a constant string. This is used
-      # to generate session ids but may be reused elsewhere.
-      def self.generate_unique_id(constant = 'foobar')
-        md5 = Digest::MD5.new
-        now = Time.now
-        md5 << now.to_s
-        md5 << String(now.usec)
-        md5 << String(rand(0))
-        md5 << String($$)
-        md5 << constant
-        md5.hexdigest
-      end
+    def self.generate_unique_id(constant = nil)
+      ActiveSupport::SecureRandom.hex(16)
     end
 
     # Make the CGI instance available to session stores.
diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb
index d381af1b84..fabacd9b83 100644
--- a/actionpack/lib/action_controller/cgi_process.rb
+++ b/actionpack/lib/action_controller/cgi_process.rb
@@ -42,7 +42,8 @@ module ActionController #:nodoc:
       :prefix           => "ruby_sess.",    # prefix session file names
       :session_path     => "/",             # available to all paths in app
       :session_key      => "_session_id",
-      :cookie_only      => true
+      :cookie_only      => true,
+      :session_http_only=> true
     }
 
     def initialize(cgi, session_options = {})
diff --git a/actionpack/lib/action_controller/rack_process.rb b/actionpack/lib/action_controller/rack_process.rb
index 1ace16da07..e8ea3704a8 100644
--- a/actionpack/lib/action_controller/rack_process.rb
+++ b/actionpack/lib/action_controller/rack_process.rb
@@ -14,7 +14,8 @@ module ActionController #:nodoc:
       :prefix           => "ruby_sess.",    # prefix session file names
       :session_path     => "/",             # available to all paths in app
       :session_key      => "_session_id",
-      :cookie_only      => true
+      :cookie_only      => true,
+      :session_http_only=> true
     }
 
     def initialize(env, session_options = DEFAULT_SESSION_OPTIONS)
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 5bf7503f04..f2fb200950 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -70,7 +70,8 @@ class CGI::Session::CookieStore
       'path'    => options['session_path'],
       'domain'  => options['session_domain'],
       'expires' => options['session_expires'],
-      'secure'  => options['session_secure']
+      'secure'  => options['session_secure'],
+      'http_only' => options['session_http_only']
     }
 
     # Set no_hidden and no_cookies since the session id is unused and we
diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb
index f5a1155a46..fd3d94ed97 100644
--- a/actionpack/lib/action_controller/session_management.rb
+++ b/actionpack/lib/action_controller/session_management.rb
@@ -60,6 +60,10 @@ module ActionController #:nodoc:
       #   # the session will only work over HTTPS, but only for the foo action
       #   session :only => :foo, :session_secure => true
       #
+      #   # the session by default uses HttpOnly sessions for security reasons.
+      #   # this can be switched off.
+      #   session :only => :foo, :session_http_only => false
+      #
       #   # the session will only be disabled for 'foo', and only if it is
       #   # requested as a web service
       #   session :off, :only => :foo,
author	Pratik Naik <pratiknaik@gmail.com>	2008-09-27 14:04:46 +0100
committer	Pratik Naik <pratiknaik@gmail.com>	2008-09-27 14:04:46 +0100
commit	fda846cf5ddf523b00a39c26591489794b5de568 (patch)
tree	00d4860d53e5c861fd9b3f483f04ff0d2db19307 /actionpack/lib/action_controller
parent	df046298715b1927a832973c4c29955696fee02c (diff)
parent	ea609b265ffc30cac00bf09a262027f96964ed6f (diff)
download	rails-fda846cf5ddf523b00a39c26591489794b5de568.tar.gz rails-fda846cf5ddf523b00a39c26591489794b5de568.tar.bz2 rails-fda846cf5ddf523b00a39c26591489794b5de568.zip