rack-session 2.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 80db83a32f94ca04708858cafb308daa26b94b9a4b95bdc74b92c288e56be8fd
-  data.tar.gz: 5502c441c1466396ce483c159fde5b909bc93aac9245b440368baad03f2246ff
+  metadata.gz: 24dbcb8931b1a26d39b7165f872231e9ce7f9006e8495616416faeb4538ed8e6
+  data.tar.gz: c26f979218fb4ac3b626d8638ee7b0e00183ac1acffdc1fb393fd85919e1cf46
 SHA512:
-  metadata.gz: d7c2863fbe132f21f64fc6b03911e72af78a5d59557ad7ad1f370c6bd25411747e1b0f4f695bb87b52eb2ab1a1b80829f9757a1aec3f50d9ac1c99fe84d34481
-  data.tar.gz: 5678a825dd79056f106e4e942d3b930a737ce27baf4da886a555215a903307691e9edcd2afdd494f85a39f8f605244d3e697b52cc0fed7548e44ac59c648afac
+  metadata.gz: e345e1424c6092e771a16f15fee04c19128dacfa50b586fbd7795ce1699fe50cbf2b7028624dc945e60a055f20c99c0d88c7c1eec729b13d527f3c3bcc7d6e6e
+  data.tar.gz: 8da88daf469c01ebeef2bb75b5ee04efc42e836807b3000b028fa2eb73f11db3585410321297e7607bd0e9413f768dab2a55e54f08e5326697e1d472f9363e6c

data/lib/rack/session/abstract/id.rb

@@ -215,7 +215,7 @@ module Rack
       # All parameters are optional.
       # * :key determines the name of the cookie, by default it is
       #   'rack.session'
-      # * :path, :domain, :expire_after, :secure, :httponly, and :same_site set
+      # * :path, :domain, :expire_after, :secure, :httponly, :partitioned and :same_site set
       #   the related cookie options as by Rack::Response#set_cookie
       # * :skip will not a set a cookie in the response nor update the session state
       # * :defer will not set a cookie in the response but still update the session
@@ -244,6 +244,7 @@ module Rack
           expire_after: nil,
           secure: false,
           httponly: true,
+          partitioned: false,
           defer: false,
           renew: false,
           sidbits: 128,
@@ -257,6 +258,7 @@ module Rack
           @app = app
           @default_options = self.class::DEFAULT_OPTIONS.merge(options)
           @key = @default_options.delete(:key)
+          @assume_ssl = @default_options.delete(:assume_ssl)
           @cookie_only = @default_options.delete(:cookie_only)
           @same_site = @default_options.delete(:same_site)
           initialize_sid
@@ -368,7 +370,7 @@ module Rack
 
         def security_matches?(request, options)
           return true unless options[:secure]
-          request.ssl?
+          request.ssl? || @assume_ssl == true
         end
 
         # Acquires the session from the environment and the session id from

data/lib/rack/session/pool.rb

@@ -53,6 +53,7 @@ module Rack
 
       def write_session(req, session_id, new_session, options)
         @mutex.synchronize do
+          return false unless get_session_with_fallback(session_id)
           @pool.store session_id.private_id, new_session
           session_id
         end
@@ -62,7 +63,12 @@ module Rack
         @mutex.synchronize do
           @pool.delete(session_id.public_id)
           @pool.delete(session_id.private_id)
-          generate_sid(use_mutex: false) unless options[:drop]
+
+          unless options[:drop]
+            sid = generate_sid(use_mutex: false)
+            @pool.store(sid.private_id, {})
+            sid
+          end
         end
       end
 

data/lib/rack/session/version.rb

@@ -5,6 +5,6 @@
 
 module Rack
   module Session
-    VERSION = "2.0.0"
+    VERSION = "2.1.1"
   end
 end

data/releases.md

@@ -0,0 +1,27 @@
+# Releases
+
+## v2.1.1
+
+  - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).
+
+## v2.1.0
+
+  - Improved compatibility with Ruby 3.3+ and Rack 3+.
+  - Add support for cookie option `partitioned`.
+  - Introduce `assume_ssl` option to allow secure session cookies through insecure proxy.
+
+## v2.0.0
+
+  - Initial migration of code from Rack 2, for Rack 3 release.
+
+## v1.0.2
+
+  - Fix missing `rack/session.rb` file.
+
+## v1.0.1
+
+  - Pin to `rack < 3`.
+
+## v1.0.0
+
+  - Empty shim release for Rack 2.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-session
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Samuel Williams
@@ -11,8 +11,22 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-18 00:00:00.000000000 Z
+date: 2025-05-06 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -112,11 +126,13 @@ files:
 - lib/rack/session/version.rb
 - license.md
 - readme.md
+- releases.md
 - security.md
 homepage: https://github.com/rack/rack-session
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -125,14 +141,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: A session implementation for Rack.