diff options
author | Santiago Pastorino <santiago@wyeworks.com> | 2011-07-12 15:05:29 -0700 |
---|---|---|
committer | Santiago Pastorino <santiago@wyeworks.com> | 2011-07-12 15:05:29 -0700 |
commit | 4735e2ec656163e7400274e237ed37dff5e3fbb6 (patch) | |
tree | 9ab1871a50800100ce35cda9c3b549e045661fd4 /actionpack | |
parent | 8f58bd49d7f089dc12f48be0f83e879936da7f1f (diff) | |
parent | 66dee26930048a0134f339d20d237a32ced2770d (diff) | |
download | rails-4735e2ec656163e7400274e237ed37dff5e3fbb6.tar.gz rails-4735e2ec656163e7400274e237ed37dff5e3fbb6.tar.bz2 rails-4735e2ec656163e7400274e237ed37dff5e3fbb6.zip |
Merge pull request #2041 from SAP-Oxygen/master-session-id-patch-with-test
Fixed session ID fixation for ActiveRecord::SessionStore (for master)
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/test/activerecord/active_record_store_test.rb | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/actionpack/test/activerecord/active_record_store_test.rb b/actionpack/test/activerecord/active_record_store_test.rb index f0fb113860..768ac713ca 100644 --- a/actionpack/test/activerecord/active_record_store_test.rb +++ b/actionpack/test/activerecord/active_record_store_test.rb @@ -225,6 +225,36 @@ class ActiveRecordStoreTest < ActionDispatch::IntegrationTest assert_equal session_id, cookies['_session_id'] end end + + def test_incoming_invalid_session_id_via_cookie_should_be_ignored + with_test_route_set do + open_session do |sess| + sess.cookies['_session_id'] = 'INVALID' + + sess.get '/set_session_value' + new_session_id = sess.cookies['_session_id'] + assert_not_equal 'INVALID', new_session_id + + sess.get '/get_session_value' + new_session_id_2 = sess.cookies['_session_id'] + assert_equal new_session_id, new_session_id_2 + end + end + end + + def test_incoming_invalid_session_id_via_parameter_should_be_ignored + with_test_route_set(:cookie_only => false) do + open_session do |sess| + sess.get '/set_session_value', :_session_id => 'INVALID' + new_session_id = sess.cookies['_session_id'] + assert_not_equal 'INVALID', new_session_id + + sess.get '/get_session_value' + new_session_id_2 = sess.cookies['_session_id'] + assert_equal new_session_id, new_session_id_2 + end + end + end private @@ -247,6 +277,7 @@ class ActiveRecordStoreTest < ActionDispatch::IntegrationTest session_class, ActiveRecord::SessionStore.session_class = ActiveRecord::SessionStore.session_class, "ActiveRecord::SessionStore::#{class_name.camelize}".constantize yield + ensure ActiveRecord::SessionStore.session_class = session_class end end |