From 59092060bcca5082df91370d85212199a2cc0aef Mon Sep 17 00:00:00 2001
From: Erik Bryn <erik.bryn@gmail.com>
Date: Mon, 20 Apr 2009 22:48:32 -0700
Subject: [PATCH] Don't allow a session to be created from a non-existent session ID in a cookie

---
 .../test/activerecord/active_record_store_test.rb  |   10 ++++++++
 activerecord/lib/active_record/session_store.rb    |   24 ++++++++++++++-----
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/actionpack/test/activerecord/active_record_store_test.rb b/actionpack/test/activerecord/active_record_store_test.rb
index 34f1880..7a00091 100644
--- a/actionpack/test/activerecord/active_record_store_test.rb
+++ b/actionpack/test/activerecord/active_record_store_test.rb
@@ -136,6 +136,16 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest
     end
   end
 
+  def test_prevents_session_id_being_generated_from_cookie_value
+    with_test_route_set do
+      cookie_value = "hey_look_i_set_the_session_id"
+      cookies['_session_id'] = cookie_value
+      get '/set_session_value'
+      assert_response :success
+      assert_not_equal cookies['_session_id'], cookie_value
+    end
+  end
+
   def test_allows_session_fixation
     @integration_session = open_session(SessionAppWithFixation)
 
diff --git a/activerecord/lib/active_record/session_store.rb b/activerecord/lib/active_record/session_store.rb
index 21471da..bd2add7 100644
--- a/activerecord/lib/active_record/session_store.rb
+++ b/activerecord/lib/active_record/session_store.rb
@@ -286,16 +286,15 @@ module ActiveRecord
     private
       def get_session(env, sid)
         Base.silence do
-          sid ||= generate_sid
-          session = find_session(sid)
+          session = find_or_create_session(sid)
           env[SESSION_RECORD_KEY] = session
-          [sid, session.data]
+          [session.session_id, session.data]
         end
       end
 
       def set_session(env, sid, session_data)
         Base.silence do
-          record = env[SESSION_RECORD_KEY] ||= find_session(sid)
+          record = env[SESSION_RECORD_KEY] ||= find_or_create_session(sid)
           record.data = session_data
           return false unless record.save
 
@@ -310,9 +309,20 @@ module ActiveRecord
         return true
       end
 
-      def find_session(id)
-        @@session_class.find_by_session_id(id) ||
-          @@session_class.new(:session_id => id, :data => {})
+      def find_session(sid)
+        @@session_class.find_by_session_id(sid)
+      end
+
+      def create_session(sid)
+        @@session_class.new(:session_id => sid, :data => {})
+      end
+
+      def find_or_create_session(sid)
+        unless session = find_session(sid)
+          sid = generate_sid if sid.nil? || @cookie_only
+          session = create_session(sid)
+        end
+        session
       end
   end
 end
-- 
1.6.0.2