reset_session should force a new session id to be generated [#2173]

actionpack/lib/action_controller/request.rb

@@ -442,6 +442,7 @@ def session=(session) #:nodoc:
     end
 
     def reset_session
+      @env['rack.session.options'].delete(:id)
       @env['rack.session'] = {}
     end
 

actionpack/test/activerecord/active_record_store_test.rb

@@ -21,8 +21,15 @@ def get_session_value
       render :text => "foo: #{session[:foo].inspect}"
     end
 
+    def get_session_id
+      session[:foo]
+      render :text => "#{request.session_options[:id]}"
+    end
+
     def call_reset_session
+      session[:bar]
       reset_session
+      session[:bar] = "baz"
       head :ok
     end
 
@@ -71,6 +78,7 @@ def test_setting_session_value_after_session_reset
       get '/set_session_value'
       assert_response :success
       assert cookies['_session_id']
+      session_id = cookies['_session_id']
 
       get '/call_reset_session'
       assert_response :success
@@ -79,6 +87,23 @@ def test_setting_session_value_after_session_reset
       get '/get_session_value'
       assert_response :success
       assert_equal 'foo: nil', response.body
+
+      get '/get_session_id'
+      assert_response :success
+      assert_not_equal session_id, response.body
+    end
+  end
+
+  def test_getting_session_id
+    with_test_route_set do
+      get '/set_session_value'
+      assert_response :success
+      assert cookies['_session_id']
+      session_id = cookies['_session_id']
+
+      get '/get_session_id'
+      assert_response :success
+      assert_equal session_id, response.body
     end
   end
 

actionpack/test/controller/session/mem_cache_store_test.rb

@@ -17,11 +17,14 @@ def get_session_value
     end
 
     def get_session_id
-      render :text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}"
+      session[:foo]
+      render :text => "#{request.session_options[:id]}"
     end
 
     def call_reset_session
+      session[:bar]
       reset_session
+      session[:bar] = "baz"
       head :ok
     end
 
@@ -58,47 +61,52 @@ def test_getting_nil_session_value
       end
     end
 
-    def test_getting_session_id
+    def test_setting_session_value_after_session_reset
       with_test_route_set do
         get '/set_session_value'
         assert_response :success
         assert cookies['_session_id']
         session_id = cookies['_session_id']
 
-        get '/get_session_id'
+        get '/call_reset_session'
         assert_response :success
-        assert_equal "foo: \"bar\"; id: #{session_id}", response.body
-      end
-    end
+        assert_not_equal [], headers['Set-Cookie']
 
-    def test_prevents_session_fixation
-      with_test_route_set do
         get '/get_session_value'
         assert_response :success
         assert_equal 'foo: nil', response.body
-        session_id = cookies['_session_id']
-
-        reset!
 
-        get '/set_session_value', :_session_id => session_id
+        get '/get_session_id'
         assert_response :success
-        assert_equal nil, cookies['_session_id']
+        assert_not_equal session_id, response.body
       end
     end
 
-    def test_setting_session_value_after_session_reset
+    def test_getting_session_id
       with_test_route_set do
         get '/set_session_value'
         assert_response :success
         assert cookies['_session_id']
+        session_id = cookies['_session_id']
 
-        get '/call_reset_session'
+        get '/get_session_id'
         assert_response :success
-        assert_not_equal [], headers['Set-Cookie']
+        assert_equal session_id, response.body
+      end
+    end
 
+    def test_prevents_session_fixation
+      with_test_route_set do
         get '/get_session_value'
         assert_response :success
         assert_equal 'foo: nil', response.body
+        session_id = cookies['_session_id']
+
+        reset!
+
+        get '/set_session_value', :_session_id => session_id
+        assert_response :success
+        assert_equal nil, cookies['_session_id']
       end
     end
   rescue LoadError, RuntimeError