From bb4c32e2b5858b25524191ee4868e616fa5bd9be Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Wed, 9 Nov 2005 06:00:46 +0000 Subject: Delete existing sessions with the same session id before creating a new session. Prevents duplication and hijacking. git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@2946 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- actionpack/lib/action_controller/cgi_process.rb | 69 +++++++++++++++---------- 1 file changed, 42 insertions(+), 27 deletions(-) (limited to 'actionpack/lib') diff --git a/actionpack/lib/action_controller/cgi_process.rb b/actionpack/lib/action_controller/cgi_process.rb index 7f05e21cb8..62bbd02e32 100644 --- a/actionpack/lib/action_controller/cgi_process.rb +++ b/actionpack/lib/action_controller/cgi_process.rb @@ -89,37 +89,26 @@ module ActionController #:nodoc: def port_from_http_host $1.to_i if env['HTTP_HOST'] && /:(\d+)$/ =~ env['HTTP_HOST'] end - - def session - return @session unless @session.nil? - begin - @session = (@session_options == false ? {} : CGI::Session.new(@cgi, session_options_with_string_keys)) - @session["__valid_session"] - return @session - rescue ArgumentError => e - if e.message =~ %r{undefined class/module (\w+)} - begin - Module.const_missing($1) - rescue LoadError, NameError => e - raise( - ActionController::SessionRestoreError, - "Session contained objects where the class definition wasn't available. " + - "Remember to require classes for all objects kept in the session. " + - "(Original exception: #{e.message} [#{e.class}])" - ) - end - - retry + def session + unless @session + if @session_options == false + @session = Hash.new else - raise + if session_options_with_string_keys['new_session'] == true + @session = new_session + else + @session = CGI::Session.new(@cgi, session_options_with_string_keys) + end + stale_session_check! end end + @session end - + def reset_session @session.delete if CGI::Session === @session - @session = (@session_options == false ? {} : new_session) + @session = new_session end def method_missing(method_id, *arguments) @@ -127,12 +116,38 @@ module ActionController #:nodoc: end private + # Delete an old session if it exists then create a new one. def new_session - CGI::Session.new(@cgi, session_options_with_string_keys.update("new_session" => true)) + if @session_options == false + Hash.new + else + CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => false)).delete rescue nil + CGI::Session.new(@cgi, session_options_with_string_keys.merge("new_session" => true)) + end end - + + def stale_session_check! + @session['__valid_session'] + rescue ArgumentError => argument_error + if argument_error.message =~ %r{undefined class/module (\w+)} + begin + Module.const_missing($1) + rescue LoadError, NameError => const_error + raise ActionController::SessionRestoreError, <