aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actionpack/CHANGELOG2
-rw-r--r--actionpack/lib/action_controller/session/cookie_store.rb6
-rwxr-xr-xactionpack/test/controller/session/cookie_store_test.rb13
3 files changed, 21 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index a4c0061da8..ed24262b07 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Cookie session store: ensure that new sessions doesn't reuse data from a deleted session in the same request. [Jeremy Kemper]
+
* Deprecation: verification with :redirect_to => :named_route shouldn't be deprecated. #7525 [Justin French]
* Cookie session store: raise ArgumentError when :session_key is blank. [Jeremy Kemper]
diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb
index 7f0afbd4b0..01f059f156 100644
--- a/actionpack/lib/action_controller/session/cookie_store.rb
+++ b/actionpack/lib/action_controller/session/cookie_store.rb
@@ -96,6 +96,7 @@ class CGI::Session::CookieStore
# Delete the session data by setting an expired cookie with no data.
def delete
@data = nil
+ clear_old_cookie_value
write_cookie('value' => '', 'expires' => 1.year.ago)
end
@@ -134,4 +135,9 @@ class CGI::Session::CookieStore
cookie = CGI::Cookie.new(@cookie_options.merge(options))
@session.cgi.send :instance_variable_set, '@output_cookies', [cookie]
end
+
+ # Clear cookie value so subsequent new_session doesn't reload old data.
+ def clear_old_cookie_value
+ @session.cgi.cookies[@cookie_options['name']].clear
+ end
end
diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb
index 88425b9f02..7d254e4f84 100755
--- a/actionpack/test/controller/session/cookie_store_test.rb
+++ b/actionpack/test/controller/session/cookie_store_test.rb
@@ -135,6 +135,19 @@ class CookieStoreTest < Test::Unit::TestCase
end
end
+ def test_new_session_doesnt_reuse_deleted_cookie_data
+ set_cookie! cookie_value(:typical)
+
+ new_session do |session|
+ assert_not_nil session['user_id']
+ session.delete
+
+ # Start a new session using the same CGI instance.
+ post_delete_session = CGI::Session.new(session.cgi, self.class.default_session_options)
+ assert_nil post_delete_session['user_id']
+ end
+ end
+
private
def assert_no_cookies(session)
assert_nil session.cgi.output_cookies, session.cgi.output_cookies.inspect