From 96714137589009c171e71497fb81072ac82530aa Mon Sep 17 00:00:00 2001 From: Shin-ichiro OGAWA Date: Tue, 25 May 2010 16:07:03 +0900 Subject: [PATCH 2/2] regenerate session_id if session_id is blank. Signed-off-by: Shin-ichiro OGAWA --- .../action_controller/session/abstract_store.rb | 8 +++++++- .../test/activerecord/active_record_store_test.rb | 9 +++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/actionpack/lib/action_controller/session/abstract_store.rb b/actionpack/lib/action_controller/session/abstract_store.rb index 7a20557..9ffddde 100644 --- a/actionpack/lib/action_controller/session/abstract_store.rb +++ b/actionpack/lib/action_controller/session/abstract_store.rb @@ -130,6 +130,12 @@ module ActionController session_data = env[ENV_SESSION_KEY] options = env[ENV_SESSION_OPTIONS_KEY] + if options.has_key?(:id) and options[:id].blank? + session_data = env[ENV_SESSION_KEY] = SessionHash.new(self, {}) + env[ENV_SESSION_OPTIONS_KEY].delete(:id) + options = env[ENV_SESSION_OPTIONS_KEY] + end + if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after] session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?) @@ -167,7 +173,7 @@ module ActionController def load_session(env) request = Rack::Request.new(env) - sid = request.cookies[@key] + sid = request.cookies[@key].blank? ? nil : request.cookies[@key] unless @cookie_only sid ||= request.params[@key] end diff --git a/actionpack/test/activerecord/active_record_store_test.rb b/actionpack/test/activerecord/active_record_store_test.rb index f0b3b3e..c06cdaf 100644 --- a/actionpack/test/activerecord/active_record_store_test.rb +++ b/actionpack/test/activerecord/active_record_store_test.rb @@ -112,17 +112,18 @@ class ActiveRecordStoreTest < ActionController::IntegrationTest end end - def test_blank_session_id + def test_blank_session_id_is_forbidden with_test_route_set do - cookies['_session_id'] = "" + cookies['_session_id'] = '' get '/set_session_value' assert_response :success - assert_equal cookies['_session_id'], "" + assert_not_equal cookies['_session_id'], "" session_id = cookies['_session_id'] + cookies['_session_id'] = '' get '/get_session_id_and_value' assert_response :success - assert_equal "bar: :", response.body + assert_equal response.body.size, 35 end end -- 1.6.5