#2364: Requests for unexisting profile creates a session cookie without need

Description of the bug

whenever a request is made to an unexisting profile (due to a broken link for example), Noosfero sets the session cookie even if the user is not logged in. This happens because the render_not_found call renders, and the processing is halted, what does not give a to chance to the after_filters in the noosfero_caching plugin to prepare the wipe out of the cookies.

Every access to keys of the session hash (e.g. session[:foo] must be guarded with a check to whether that key is actually there, e.g. session.has_key?(:foo)). Read acccess to the session forces the creation of a cookie, what's a bug in Rails 2.3.5; this was only fixed in Rails 2.3.14.

Steps to reproduce

1. make a request to yoursite/xyz, where xyz is a non-existing profile
2. verify that noosfero sets a _noosfero_session cookie in return

-- AntonioTerceiro -- 23 May 2012

diff --git a/features/session_and_cookies_handling.feature b/features/session_an
index 5a644d5..600923f 100644
--- a/features/session_and_cookies_handling.feature
+++ b/features/session_and_cookies_handling.feature
@@ -25,6 +25,10 @@ Feature: session and cookies handling
     When I make a AJAX request to the user data path
     Then there must be a cookie "_noosfero_session"
 
+  Scenario: 404 on unexisting profile should not produce a session cookie
+    When I go to /unexistingprofile
+    Then there must be no cookies
+
   # FIXME for some reason I could not test this scenario, although manual tests
   # indicate this works!
   # Scenario: logout

-- AntonioTerceiro - 09 Jun 2012