Reset session on login/logout (#4248).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3080 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 19 insertions, 1 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2bcfac952..1f8967956 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -61,12 +61,12 @@ class ApplicationController < ActionController::Base
   
   # Sets the logged in user
   def logged_user=(user)
+    reset_session
     if user && user.is_a?(User)
       User.current = user
       session[:user_id] = user.id
     else
       User.current = User.anonymous
-      session[:user_id] = nil
     end
   end
   
diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb
index 497d510f4..c612ea23c 100644
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -182,6 +182,24 @@ class AccountTest < ActionController::IntegrationTest
     assert user.hashed_password.blank?
   end
   
+  def test_login_and_logout_should_clear_session
+    get '/login'
+    sid = session[:session_id]
+    
+    post '/login', :username => 'admin', :password => 'admin'
+    assert_redirected_to 'my/page'
+    assert_not_equal sid, session[:session_id], "login should reset session"
+    assert_equal 1, session[:user_id]
+    sid = session[:session_id]
+    
+    get '/'
+    assert_equal sid, session[:session_id]
+      
+    get '/logout'
+    assert_not_equal sid, session[:session_id], "logout should reset session"
+    assert_nil session[:user_id]
+  end
+  
   else
     puts 'Mocha is missing. Skipping tests.'
   end