From 41fb4904e22859178c3002c2acff342073540a64 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Wed, 21 Nov 2007 04:28:59 +0000
Subject: Refactor cookie_only option to survive multiple requests and add
 regression tests.  References #10048. [theflow]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8176 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_controller/cgi_process.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib/action_controller/cgi_process.rb')

diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb
index b3739ce399..6a802aa8fa 100644
--- a/actionpack/lib/action_controller/cgi_process.rb
+++ b/actionpack/lib/action_controller/cgi_process.rb
@@ -33,13 +33,14 @@ module ActionController #:nodoc:
   end
 
   class CgiRequest < AbstractRequest #:nodoc:
-    attr_accessor :cgi, :session_options, :cookie_only
+    attr_accessor :cgi, :session_options
     class SessionFixationAttempt < StandardError; end #:nodoc:
 
     DEFAULT_SESSION_OPTIONS = {
       :database_manager => CGI::Session::CookieStore, # store data in cookie
       :prefix           => "ruby_sess.",    # prefix session file names
       :session_path     => "/",             # available to all paths in app
+      :session_key      => "_session_id",
       :cookie_only      => true
     } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
 
@@ -47,7 +48,6 @@ module ActionController #:nodoc:
       @cgi = cgi
       @session_options = session_options
       @env = @cgi.send!(:env_table)
-      @cookie_only = session_options.delete :cookie_only
       super()
     end
 
@@ -112,7 +112,7 @@ module ActionController #:nodoc:
           @session = Hash.new
         else
           stale_session_check! do
-            if @cookie_only && request_parameters[session_options_with_string_keys['session_key']]
+            if cookie_only? && query_parameters[session_options_with_string_keys['session_key']]
               raise SessionFixationAttempt
             end
             case value = session_options_with_string_keys['new_session']
@@ -158,6 +158,10 @@ module ActionController #:nodoc:
         end
       end
 
+      def cookie_only?
+        session_options_with_string_keys['cookie_only']
+      end
+
       def stale_session_check!
         yield
       rescue ArgumentError => argument_error
-- 
cgit v1.2.3