From 000edbbbaceedc2f6df2b039d44de6e7cb7118e7 Mon Sep 17 00:00:00 2001 From: Steve Klabnik Date: Fri, 31 Aug 2012 11:36:05 -0700 Subject: Properly reset the session on reset_session Fixes #7478 --- actionpack/lib/action_dispatch/http/request.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index d24c7c7f3f..b8ebeb408f 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -227,8 +227,11 @@ module ActionDispatch # TODO This should be broken apart into AD::Request::Session and probably # be included by the session middleware. def reset_session - session.destroy if session && session.respond_to?(:destroy) - self.session = {} + if session && session.respond_to?(:destroy) + session.destroy + else + self.session = {} + end @env['action_dispatch.request.flash_hash'] = nil end -- cgit v1.2.3 From 54a0b01f760354ee8002d136b322d6ea429b67f6 Mon Sep 17 00:00:00 2001 From: Andreas Loupasakis Date: Sat, 1 Sep 2012 14:20:43 +0300 Subject: Assign a new session_id to session options hash --- actionpack/lib/action_dispatch/request/session.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_dispatch/request/session.rb b/actionpack/lib/action_dispatch/request/session.rb index d8bcc28613..0e0d7a1a33 100644 --- a/actionpack/lib/action_dispatch/request/session.rb +++ b/actionpack/lib/action_dispatch/request/session.rb @@ -70,8 +70,8 @@ module ActionDispatch def destroy clear options = self.options || {} - @by.send(:destroy_session, @env, options[:id], options) - options[:id] = nil + new_sid = @by.send(:destroy_session, @env, options[:id], options) + options[:id] = new_sid # Reset session id with a new value or nil @loaded = false end -- cgit v1.2.3 From 7fd6bd69e65b8cf9b844c46b98f79fb4b13b1c6a Mon Sep 17 00:00:00 2001 From: Andreas Loupasakis Date: Sat, 1 Sep 2012 14:21:49 +0300 Subject: Override rack's destroy_session in cookie store --- actionpack/lib/action_dispatch/middleware/session/cookie_store.rb | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb index 9b159b2caf..019849ef95 100644 --- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb +++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb @@ -44,6 +44,14 @@ module ActionDispatch include StaleSessionCheck include SessionObject + # Override rack's method + def destroy_session(env, session_id, options) + new_sid = super + # Reset hash and Assign the new session id + env["action_dispatch.request.unsigned_session_cookie"] = new_sid ? { "session_id" => new_sid } : {} + new_sid + end + private def unpacked_cookie_data(env) -- cgit v1.2.3 From 8bfcb0de3a2599925ce714cddc49d608ff8e03a8 Mon Sep 17 00:00:00 2001 From: Andreas Loupasakis Date: Sun, 2 Sep 2012 00:41:23 +0300 Subject: Force reloading of the session after destroy Use load_for_write! to ensure a refresh of the session object. This way the new session_id and the empty data will be stored properly. E.g. in the case of the session cookie store this means that a new digest will be returned to the user. --- actionpack/lib/action_dispatch/request/session.rb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_dispatch/request/session.rb b/actionpack/lib/action_dispatch/request/session.rb index 0e0d7a1a33..e17f2a5de6 100644 --- a/actionpack/lib/action_dispatch/request/session.rb +++ b/actionpack/lib/action_dispatch/request/session.rb @@ -72,7 +72,10 @@ module ActionDispatch options = self.options || {} new_sid = @by.send(:destroy_session, @env, options[:id], options) options[:id] = new_sid # Reset session id with a new value or nil + + # Load the new sid to be written with the response @loaded = false + load_for_write! end def [](key) -- cgit v1.2.3