module ActionController #:nodoc:
  module SessionManagement #:nodoc:
    def self.included(base)
      base.class_eval do
        extend ClassMethods
      end
    end

    class Middleware
      DEFAULT_OPTIONS = {
        :path     => "/",
        :key      => "_session_id",
        :httponly => true,
      }.freeze

      def self.new(app)
        cgi_options = ActionController::Base.session_options
        options = cgi_options.symbolize_keys
        options = DEFAULT_OPTIONS.merge(options)
        if options.has_key?(:session_path)
          options[:path] = options.delete(:session_path)
        end
        if options.has_key?(:session_key)
          options[:key] = options.delete(:session_key)
        end
        if options.has_key?(:session_http_only)
          options[:httponly] = options.delete(:session_http_only)
        end

        if store = ActionController::Base.session_store
          store.new(app, options)
        else # Sessions disabled
          lambda { |env| app.call(env) }
        end
      end
    end

    module ClassMethods
      # Set the session store to be used for keeping the session data between requests.
      # By default, sessions are stored in browser cookies (<tt>:cookie_store</tt>),
      # but you can also specify one of the other included stores (<tt>:active_record_store</tt>,
      # <tt>:mem_cache_store</tt>, or your own custom class.
      def session_store=(store)
        if store == :active_record_store
          self.session_store = ActiveRecord::SessionStore
        else
          @@session_store = store.is_a?(Symbol) ?
            Session.const_get(store.to_s.camelize) :
            store
        end
      end

      # Returns the session store class currently used.
      def session_store
        if defined? @@session_store
          @@session_store
        else
          Session::CookieStore
        end
      end

      def session=(options = {})
        self.session_store = nil if options.delete(:disabled)
        session_options.merge!(options)
      end

      # Returns the hash used to configure the session. Example use:
      #
      #   ActionController::Base.session_options[:session_secure] = true # session only available over HTTPS
      def session_options
        @session_options ||= {}
      end

      def session(*args)
        ActiveSupport::Deprecation.warn(
          "Disabling sessions for a single controller has been deprecated. " +
          "Sessions are now lazy loaded. So if you don't access them, " +
          "consider them off. You can still modify the session cookie " +
          "options with request.session_options.", caller)
      end
    end
  end
end