Deprecated ActionController::Base.session_options= and ActionController::Base.session_store= in favor of a config.session_store method (which takes params) and a config.cookie_secret variable, which is used in various secret scenarios. The old AC::Base options will continue to work with deprecation warnings.

8 files changed, 27 insertions, 50 deletions

diff --git a/actionpack/lib/action_controller/deprecated/base.rb b/actionpack/lib/action_controller/deprecated/base.rb
index 7aa2a34d37..34f8f4a822 100644
--- a/actionpack/lib/action_controller/deprecated/base.rb
+++ b/actionpack/lib/action_controller/deprecated/base.rb
@@ -78,10 +78,23 @@ module ActionController
         Rails.application.config.action_dispatch.ip_spoofing_check = value
       end
 
+      def session(*args)
+        ActiveSupport::Deprecation.warn(
+          "Disabling sessions for a single controller has been deprecated. " +
+          "Sessions are now lazy loaded. So if you don't access them, " +
+          "consider them off. You can still modify the session cookie " +
+          "options with request.session_options.", caller)
+      end
+
       def session=(value)
         ActiveSupport::Deprecation.warn "ActionController::Base.session= is deprecated. " <<
-          "Please configure it on your application with config.action_dispatch.session=", caller
-        Rails.application.config.action_dispatch.session = value.delete(:disabled) ? nil : value
+          "Please configure it on your application with config.session_store :cookie_store, :key => '....'", caller
+        if value.delete(:disabled)
+          Rails.application.config.session_store :disabled
+        else
+          store = Rails.application.config.session_store
+          Rails.application.config.session_store store, value
+        end
       end
 
       # Controls the resource action separator
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index afa7674e40..f1355a83a3 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -165,7 +165,7 @@ module ActionController
 
         # Authenticate with HTTP Digest, returns true or false
         def authenticate_with_http_digest(realm = "Application", &password_procedure)
-          HttpAuthentication::Digest.authenticate(config.session_options[:secret], request, realm, &password_procedure)
+          HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure)
         end
 
         # Render output including the HTTP Digest authentication header
@@ -238,7 +238,7 @@ module ActionController
       end
 
       def authentication_header(controller, realm)
-        secret_key = controller.config.session_options[:secret]
+        secret_key = controller.config.secret
         nonce = self.nonce(secret_key)
         opaque = opaque(secret_key)
         controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}")
diff --git a/actionpack/lib/action_controller/metal/session_management.rb b/actionpack/lib/action_controller/metal/session_management.rb
index 1ea22b7b28..91d89ff9a4 100644
--- a/actionpack/lib/action_controller/metal/session_management.rb
+++ b/actionpack/lib/action_controller/metal/session_management.rb
@@ -2,38 +2,8 @@ module ActionController #:nodoc:
   module SessionManagement #:nodoc:
     extend ActiveSupport::Concern
 
-    included do
-      # This is still needed for the session secret for some reason.
-      self.config.session_options ||= {}
-    end
-
-    def self.session_store_for(store)
-      case store
-      when :active_record_store
-        ActiveRecord::SessionStore
-      when Symbol
-        ActionDispatch::Session.const_get(store.to_s.camelize)
-      else
-        store
-      end
-    end
-
     module ClassMethods
-      def session_options
-        config.session_options
-      end
-
-      def session_store
-        SessionManagement.session_store_for(config.session_store)
-      end
 
-      def session(*args)
-        ActiveSupport::Deprecation.warn(
-          "Disabling sessions for a single controller has been deprecated. " +
-          "Sessions are now lazy loaded. So if you don't access them, " +
-          "consider them off. You can still modify the session cookie " +
-          "options with request.session_options.", caller)
-      end
     end
   end
 end
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index 031df9423f..e9edf80451 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -49,11 +49,9 @@ module ActionController
       ac.assets_dir = paths.public.to_a.first
       ac.javascripts_dir = paths.public.javascripts.to_a.first
       ac.stylesheets_dir = paths.public.stylesheets.to_a.first
+      ac.secret = app.config.cookie_secret
 
       ActionController::Base.config.replace(ac)
-      # app.config.action_controller.each do |k,v|
-      #   ActionController::Base.send "#{k}=", v
-      # end
     end
 
     initializer "action_controller.initialize_framework_caches" do
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 04a101dbb2..db64711052 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -177,9 +177,8 @@ module ActionDispatch
           if key.blank?
             raise ArgumentError, 'A key is required to write a ' +
               'cookie containing the session data. Use ' +
-              'config.action_controller.session = { :key => ' +
-              '"_myapp_session", :secret => "some secret phrase" } in ' +
-              'config/application.rb'
+              'config.action_controller.session_store :cookie_store, { :key => ' +
+              '"_myapp_session" } in config/application.rb'
           end
         end
 
@@ -193,10 +192,9 @@ module ActionDispatch
           if secret.blank?
             raise ArgumentError, "A secret is required to generate an " +
               "integrity hash for cookie session data. Use " +
-              "config.action_controller.session = { :key => " +
-              "\"_myapp_session\", :secret => \"some secret phrase of at " +
-              "least #{SECRET_MIN_LENGTH} characters\" } " +
-              "in config/environment.rb"
+              "config.cookie_secret = \"some secret phrase of at " +
+              "least #{SECRET_MIN_LENGTH} characters\"" +
+              "in config/application.rb"
           end
 
           if secret.length < SECRET_MIN_LENGTH
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 30b3535e17..e486bd4079 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -7,8 +7,6 @@ module ActionDispatch
 
     config.action_dispatch.x_sendfile_header = "X-Sendfile"
     config.action_dispatch.ip_spoofing_check = true
-    config.action_dispatch.session = {}
-    config.action_dispatch.session_store = :cookie_store
 
     # Prepare dispatcher callbacks and run 'prepare' callbacks
     initializer "action_dispatch.prepare_dispatcher" do |app|
diff --git a/actionpack/test/abstract_unit.rb b/actionpack/test/abstract_unit.rb
index 29270ed228..d103c4e485 100644
--- a/actionpack/test/abstract_unit.rb
+++ b/actionpack/test/abstract_unit.rb
@@ -170,8 +170,7 @@ end
 # Temporary base class
 class Rack::TestCase < ActionController::IntegrationTest
   setup do
-    ActionController::Base.session_options[:key] = "abc"
-    ActionController::Base.session_options[:secret] = ("*" * 30)
+    ActionController::Base.config.secret = "abc" * 30
   end
 
   def self.testing(klass = nil)
diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 6f167fe627..eb2af523a2 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -41,11 +41,12 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
   setup do
     # Used as secret in generating nonce to prevent tampering of timestamp
     @secret = "session_options_secret"
-    @old_secret, ActionController::Base.session_options[:secret] = ActionController::Base.session_options[:secret], @secret
+    @controller.config.secret = @secret
+    # @old_secret, ActionController::Base.config.secret[:secret] = ActionController::Base.session_options[:secret], @secret
   end
 
   teardown do
-    ActionController::Base.session_options[:secret] = @old_secret
+    # ActionController::Base.session_options[:secret] = @old_secret
   end
 
   AUTH_HEADERS.each do |header|