Refactor #23875

Updated by Lukas Zapletal about 4 years ago

In #4457 we introduced a change and two tests to verify the session does not leak session id via old session hash reference. Starting from Rails 4.0 the implementation used in tests (TestSession) was given a @destroy@ method ( which enables the session stack to use it instead creation of new hash instance ( This should lead to regression in tests, but due to oversight in test assertion, it was never failing:

refute old_session.keys.include?(:user)

Method keys always return entries as strings, therefore this line never fired. The purpose of this ticket is to refactor this - simply by removing the two tests, because we already test presence of user session key in "sets the session user" test and call of @reset_session@ (which calls @destroy@ method) in "changes the session ID to prevent fixation" test.

But the