Description of the bug
whenever a request is made to an unexisting profile (due to a broken link for example),
Noosfero sets the session cookie even if the user is not logged in. This happens because
the render_not_found call renders, and the processing is halted, what does not give a
to chance to the after_filters in the noosfero_caching plugin to prepare the wipe out
of the cookies.
Every access to keys of the session hash (e.g.
must be guarded with a
check to whether that key is actually there, e.g.
). Read acccess
to the session forces the creation of a cookie, what's a bug in Rails 2.3.5; this was only
fixed in Rails 2.3.14.
Steps to reproduce
- make a request to
yoursite/xyz, where xyz is a non-existing profile
- verify that noosfero sets a _noosfero_session cookie in return
-- 23 May 2012
diff --git a/features/session_and_cookies_handling.feature b/features/session_an
index 5a644d5..600923f 100644
@@ -25,6 +25,10 @@ Feature: session and cookies handling
When I make a AJAX request to the user data path
Then there must be a cookie "_noosfero_session"
+ Scenario: 404 on unexisting profile should not produce a session cookie
+ When I go to /unexistingprofile
+ Then there must be no cookies
# FIXME for some reason I could not test this scenario, although manual tests
# indicate this works!
# Scenario: logout
- 09 Jun 2012
| Title || Requests for unexisting profile creates a session cookie without need |
| ActionItemType? || BugItem |
| Priority || 0 |
| Tags || |
| Feature || Infrastructure |
| Plugin || |
| TaskPoints? || |
| ResponsibleDevelopers || AntonioTerceiro |
| ScheduledFor? || N/A |
| AffectsVersion? || |
| Status || Pending |
| Ticket || SAC: |
Topic revision: r4 - 20 Jul 2012 - 14:31:55 - LarissaReis