Backported r3080 from trunk (#4248).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.8-stable@3081 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 04c3023e01aa0dcde7104e5ac644eb7fbba9a0bb..0335f01f7a812b7561dac11b44fd6d961530ce40 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -188,12 +188,12 @@ class AccountController < ApplicationController
   
 private
   def logged_user=(user)
+    reset_session
     if user && user.is_a?(User)
       User.current = user
       session[:user_id] = user.id
     else
       User.current = User.anonymous
-      session[:user_id] = nil
     end
   end
 end

diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb
index c6cfd080e1c000e7606c86ed90d37ff81fd79eb7..d2c757a01a1d2bd5ee8c26ea4de9533a6df4ef9b 100644 (file)
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -147,6 +147,24 @@ class AccountTest < ActionController::IntegrationTest
     assert user.hashed_password.blank?
   end
   
+  def test_login_and_logout_should_clear_session
+    get '/login'
+    sid = session.session_id
+    
+    post '/login', :username => 'admin', :password => 'admin'
+    assert_redirected_to 'my/page'
+    assert_not_equal sid, session.session_id, "login should reset session"
+    assert_equal 1, session[:user_id]
+    sid = session.session_id
+    
+    get '/'
+    assert_equal sid, session.session_id
+      
+    get '/logout'
+    assert_not_equal sid, session.session_id, "logout should reset session"
+    assert_nil session[:user_id]
+  end
+  
   else
     puts 'Mocha is missing. Skipping tests.'
   end