diff options
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/session/cookie_store.rb | 6 | ||||
| -rwxr-xr-x | actionpack/test/controller/session/cookie_store_test.rb | 13 |
3 files changed, 21 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index a4c0061da8..ed24262b07 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Cookie session store: ensure that new sessions doesn't reuse data from a deleted session in the same request. [Jeremy Kemper] + * Deprecation: verification with :redirect_to => :named_route shouldn't be deprecated. #7525 [Justin French] * Cookie session store: raise ArgumentError when :session_key is blank. [Jeremy Kemper] diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb index 7f0afbd4b0..01f059f156 100644 --- a/actionpack/lib/action_controller/session/cookie_store.rb +++ b/actionpack/lib/action_controller/session/cookie_store.rb @@ -96,6 +96,7 @@ class CGI::Session::CookieStore # Delete the session data by setting an expired cookie with no data. def delete @data = nil + clear_old_cookie_value write_cookie('value' => '', 'expires' => 1.year.ago) end @@ -134,4 +135,9 @@ class CGI::Session::CookieStore cookie = CGI::Cookie.new(@cookie_options.merge(options)) @session.cgi.send :instance_variable_set, '@output_cookies', [cookie] end + + # Clear cookie value so subsequent new_session doesn't reload old data. + def clear_old_cookie_value + @session.cgi.cookies[@cookie_options['name']].clear + end end diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb index 88425b9f02..7d254e4f84 100755 --- a/actionpack/test/controller/session/cookie_store_test.rb +++ b/actionpack/test/controller/session/cookie_store_test.rb @@ -135,6 +135,19 @@ class CookieStoreTest < Test::Unit::TestCase end end + def test_new_session_doesnt_reuse_deleted_cookie_data + set_cookie! cookie_value(:typical) + + new_session do |session| + assert_not_nil session['user_id'] + session.delete + + # Start a new session using the same CGI instance. + post_delete_session = CGI::Session.new(session.cgi, self.class.default_session_options) + assert_nil post_delete_session['user_id'] + end + end + private def assert_no_cookies(session) assert_nil session.cgi.output_cookies, session.cgi.output_cookies.inspect |