reset_session should force a new session id to be generated [#2173]

author: Joshua Peek <josh@joshpeek.com> 2009-03-09 22:45:38 -0500
committer: Joshua Peek <josh@joshpeek.com> 2009-03-09 22:46:03 -0500
commit: 224a534400fd622dda57058d1eed349b8375e5e3 (patch)
tree: 43dc08e5eb3c2a419169078d73cd50fbc5104098 /actionpack/test
parent: 4458edc882b229ea44602da20a6440a6f233f1c8 (diff)
download: rails-224a534400fd622dda57058d1eed349b8375e5e3.tar.gz
rails-224a534400fd622dda57058d1eed349b8375e5e3.tar.bz2
rails-224a534400fd622dda57058d1eed349b8375e5e3.zip
2 files changed, 49 insertions, 16 deletions
diff --git a/actionpack/test/activerecord/active_record_store_test.rb b/actionpack/test/activerecord/active_record_store_test.rb
index 7998f9c22f..c98892edc1 100644
--- a/actionpack/test/activerecord/active_record_store_test.rb
+++ b/actionpack/test/activerecord/active_record_store_test.rb
@@ -21,8 +21,15 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
       render :text => "foo: #{session[:foo].inspect}"
     end
 
+    def get_session_id
+      session[:foo]
+      render :text => "#{request.session_options[:id]}"
+    end
+
     def call_reset_session
+      session[:bar]
       reset_session
+      session[:bar] = "baz"
       head :ok
     end
 
@@ -71,6 +78,7 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
       get '/set_session_value'
       assert_response :success
       assert cookies['_session_id']
+      session_id = cookies['_session_id']
 
       get '/call_reset_session'
       assert_response :success
@@ -79,6 +87,23 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
       get '/get_session_value'
       assert_response :success
       assert_equal 'foo: nil', response.body
+
+      get '/get_session_id'
+      assert_response :success
+      assert_not_equal session_id, response.body
+    end
+  end
+
+  def test_getting_session_id
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+      session_id = cookies['_session_id']
+
+      get '/get_session_id'
+      assert_response :success
+      assert_equal session_id, response.body
     end
   end
 
diff --git a/actionpack/test/controller/session/mem_cache_store_test.rb b/actionpack/test/controller/session/mem_cache_store_test.rb
index c3a6c8ce45..2f80a3c7c2 100644
--- a/actionpack/test/controller/session/mem_cache_store_test.rb
+++ b/actionpack/test/controller/session/mem_cache_store_test.rb
@@ -17,11 +17,14 @@ class MemCacheStoreTest < ActionController::IntegrationTest
     end
 
     def get_session_id
-      render :text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}"
+      session[:foo]
+      render :text => "#{request.session_options[:id]}"
     end
 
     def call_reset_session
+      session[:bar]
       reset_session
+      session[:bar] = "baz"
       head :ok
     end
 
@@ -58,47 +61,52 @@ class MemCacheStoreTest < ActionController::IntegrationTest
       end
     end
 
-    def test_getting_session_id
+    def test_setting_session_value_after_session_reset
       with_test_route_set do
         get '/set_session_value'
         assert_response :success
         assert cookies['_session_id']
         session_id = cookies['_session_id']
 
-        get '/get_session_id'
+        get '/call_reset_session'
         assert_response :success
-        assert_equal "foo: \"bar\"; id: #{session_id}", response.body
-      end
-    end
+        assert_not_equal [], headers['Set-Cookie']
 
-    def test_prevents_session_fixation
-      with_test_route_set do
         get '/get_session_value'
         assert_response :success
         assert_equal 'foo: nil', response.body
-        session_id = cookies['_session_id']
-
-        reset!
 
-        get '/set_session_value', :_session_id => session_id
+        get '/get_session_id'
         assert_response :success
-        assert_equal nil, cookies['_session_id']
+        assert_not_equal session_id, response.body
       end
     end
 
-    def test_setting_session_value_after_session_reset
+    def test_getting_session_id
       with_test_route_set do
         get '/set_session_value'
         assert_response :success
         assert cookies['_session_id']
+        session_id = cookies['_session_id']
 
-        get '/call_reset_session'
+        get '/get_session_id'
         assert_response :success
-        assert_not_equal [], headers['Set-Cookie']
+        assert_equal session_id, response.body
+      end
+    end
 
+    def test_prevents_session_fixation
+      with_test_route_set do
         get '/get_session_value'
         assert_response :success
         assert_equal 'foo: nil', response.body
+        session_id = cookies['_session_id']
+
+        reset!
+
+        get '/set_session_value', :_session_id => session_id
+        assert_response :success
+        assert_equal nil, cookies['_session_id']
       end
     end
   rescue LoadError, RuntimeError
author	Joshua Peek <josh@joshpeek.com>	2009-03-09 22:45:38 -0500
committer	Joshua Peek <josh@joshpeek.com>	2009-03-09 22:46:03 -0500
commit	224a534400fd622dda57058d1eed349b8375e5e3 (patch)
tree	43dc08e5eb3c2a419169078d73cd50fbc5104098 /actionpack/test
parent	4458edc882b229ea44602da20a6440a6f233f1c8 (diff)
download	rails-224a534400fd622dda57058d1eed349b8375e5e3.tar.gz rails-224a534400fd622dda57058d1eed349b8375e5e3.tar.bz2 rails-224a534400fd622dda57058d1eed349b8375e5e3.zip