3 files changed, 72 insertions, 18 deletions

diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb
index b48a8c3830..9b3f9afb0d 100644
--- a/actionpack/test/controller/session/cookie_store_test.rb
+++ b/actionpack/test/controller/session/cookie_store_test.rb
@@ -24,13 +24,17 @@ class CookieStoreTest < ActionController::IntegrationTest
 
     def set_session_value
       session[:foo] = "bar"
-      render :text => Verifier.generate(session.to_hash)
+      render :text => Rack::Utils.escape(Verifier.generate(session.to_hash))
     end
 
     def get_session_value
       render :text => "foo: #{session[:foo].inspect}"
     end
 
+    def get_session_id
+      render :text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}"
+    end
+
     def call_reset_session
       reset_session
       head :ok
@@ -93,7 +97,7 @@ class CookieStoreTest < ActionController::IntegrationTest
     with_test_route_set do
       get '/set_session_value'
       assert_response :success
-      assert_equal ["_myapp_session=#{response.body}; path=/; httponly"],
+      assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
         headers['Set-Cookie']
    end
   end
@@ -107,6 +111,20 @@ class CookieStoreTest < ActionController::IntegrationTest
    end
   end
 
+  def test_getting_session_id
+    with_test_route_set do
+      cookies[SessionKey] = SignedBar
+      get '/persistent_session_id'
+      assert_response :success
+      assert_equal response.body.size, 32
+      session_id = response.body
+
+      get '/get_session_id'
+      assert_response :success
+      assert_equal "foo: \"bar\"; id: #{session_id}", response.body
+    end
+  end
+
   def test_disregards_tampered_sessions
     with_test_route_set do
       cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780"
@@ -128,7 +146,7 @@ class CookieStoreTest < ActionController::IntegrationTest
     with_test_route_set do
       get '/no_session_access'
       assert_response :success
-      assert_equal [], headers['Set-Cookie']
+      assert_equal "", headers['Set-Cookie']
     end
   end
 
@@ -138,7 +156,7 @@ class CookieStoreTest < ActionController::IntegrationTest
         "fef868465920f415f2c0652d6910d3af288a0367"
       get '/no_session_access'
       assert_response :success
-      assert_equal [], headers['Set-Cookie']
+      assert_equal "", headers['Set-Cookie']
     end
   end
 
@@ -147,7 +165,7 @@ class CookieStoreTest < ActionController::IntegrationTest
       get '/set_session_value'
       assert_response :success
       session_payload = response.body
-      assert_equal ["_myapp_session=#{response.body}; path=/; httponly"],
+      assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly",
         headers['Set-Cookie']
 
       get '/call_reset_session'
@@ -192,7 +210,8 @@ class CookieStoreTest < ActionController::IntegrationTest
       assert_response :success
 
       cookie_body = response.body
-      assert_equal ["_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; httponly"], headers['Set-Cookie']
+      assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly",
+        headers['Set-Cookie']
 
       # Second request does not access the session
       time = Time.local(2008, 4, 25)
@@ -202,7 +221,8 @@ class CookieStoreTest < ActionController::IntegrationTest
       get '/no_session_access'
       assert_response :success
 
-      assert_equal ["_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; httponly"], headers['Set-Cookie']
+      assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly",
+        headers['Set-Cookie']
     end
   end
 
@@ -217,4 +237,13 @@ class CookieStoreTest < ActionController::IntegrationTest
         yield
       end
     end
+
+    def unmarshal_session(cookie_string)
+      session = Rack::Utils.parse_query(cookie_string, ';,').inject({}) {|h,(k,v)|
+        h[k] = Array === v ? v.first : v
+        h
+      }[SessionKey]
+      verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1')
+      verifier.verify(session)
+    end
 end
diff --git a/actionpack/test/controller/session/mem_cache_store_test.rb b/actionpack/test/controller/session/mem_cache_store_test.rb
index 2e2bf79148..7561c93e4a 100644
--- a/actionpack/test/controller/session/mem_cache_store_test.rb
+++ b/actionpack/test/controller/session/mem_cache_store_test.rb
@@ -16,8 +16,15 @@ class MemCacheStoreTest < ActionController::IntegrationTest
       render :text => "foo: #{session[:foo].inspect}"
     end
 
+    def get_session_id
+      session[:foo]
+      render :text => "#{request.session_options[:id]}"
+    end
+
     def call_reset_session
+      session[:bar]
       reset_session
+      session[:bar] = "baz"
       head :ok
     end
 
@@ -50,38 +57,56 @@ class MemCacheStoreTest < ActionController::IntegrationTest
       with_test_route_set do
         get '/get_session_value'
         assert_response :success
-      assert_equal 'foo: nil', response.body
+        assert_equal 'foo: nil', response.body
       end
     end
 
-    def test_prevents_session_fixation
+    def test_setting_session_value_after_session_reset
       with_test_route_set do
-        get '/get_session_value'
+        get '/set_session_value'
         assert_response :success
-        assert_equal 'foo: nil', response.body
+        assert cookies['_session_id']
         session_id = cookies['_session_id']
 
-        reset!
+        get '/call_reset_session'
+        assert_response :success
+        assert_not_equal [], headers['Set-Cookie']
 
-        get '/set_session_value', :_session_id => session_id
+        get '/get_session_value'
         assert_response :success
-        assert_equal nil, cookies['_session_id']
+        assert_equal 'foo: nil', response.body
+
+        get '/get_session_id'
+        assert_response :success
+        assert_not_equal session_id, response.body
       end
     end
 
-    def test_setting_session_value_after_session_reset
+    def test_getting_session_id
       with_test_route_set do
         get '/set_session_value'
         assert_response :success
         assert cookies['_session_id']
+        session_id = cookies['_session_id']
 
-        get '/call_reset_session'
+        get '/get_session_id'
         assert_response :success
-        assert_not_equal [], headers['Set-Cookie']
+        assert_equal session_id, response.body
+      end
+    end
 
+    def test_prevents_session_fixation
+      with_test_route_set do
         get '/get_session_value'
         assert_response :success
         assert_equal 'foo: nil', response.body
+        session_id = cookies['_session_id']
+
+        reset!
+
+        get '/set_session_value', :_session_id => session_id
+        assert_response :success
+        assert_equal nil, cookies['_session_id']
       end
     end
   rescue LoadError, RuntimeError
diff --git a/actionpack/test/controller/session/test_session_test.rb b/actionpack/test/controller/session/test_session_test.rb
index 83103be3ec..de6539e1cc 100644
--- a/actionpack/test/controller/session/test_session_test.rb
+++ b/actionpack/test/controller/session/test_session_test.rb
@@ -33,7 +33,7 @@ class ActionController::TestSessionTest < ActiveSupport::TestCase
     assert_equal('value', session[:key])
   end
   
-  def test_calling_delete_removes item
+  def test_calling_delete_removes_item
     session = ActionController::TestSession.new
     session[:key] = 'value'
     assert_equal('value', session[:key])