Remove login doesn't escalate privileges test
|Triaged:||Fixed in Releases:|
|Bugzilla link:||Found in Releases:|
In #4457 we introduced a change and two tests to verify the session does not leak session id via old session hash reference. Starting from Rails 4.0 the implementation used in tests (TestSession) was given a
destroy method (https://github.com/rails/rails/commit/7d624e0e8cfa3adffd8f475e3588d83f3b367c24#diff-600d5368b55e46ed961abb4295977ac3R254) which enables the session stack to use it instead creation of new hash instance (https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/request.rb#L349-L355). This should lead to regression in tests, but due to oversight in test assertion, it was never failing:
Method keys always return entries as strings, therefore this line never fired. The purpose of this ticket is to refactor this - simply by removing the two tests, because we already test presence of user session key in "sets the session user" test and call of
reset_session (which calls
destroy method) in "changes the session ID to prevent fixation" test.