Keep track of valid user sessions (#21058).

git-svn-id: http://svn.redmine.org/redmine/trunk@14735 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application_controller.rb

@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization
+  before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
 
   rescue_from ::Unauthorized, :with => :deny_access
   rescue_from ::ActionView::MissingTemplate, :with => :missing_template
@@ -63,36 +63,23 @@ class ApplicationController < ActionController::Base
   include Redmine::SudoMode::Controller
 
   def session_expiration
-    if session[:user_id]
+    if session[:user_id] && Rails.application.config.redmine_verify_sessions != false
       if session_expired? && !try_to_autologin
         set_localization(User.active.find_by_id(session[:user_id]))
         self.logged_user = nil
         flash[:error] = l(:error_session_expired)
         require_login
-      else
-        session[:atime] = Time.now.utc.to_i
       end
     end
   end
 
   def session_expired?
-    if Setting.session_lifetime?
+    ! User.verify_session_token(session[:user_id], session[:tk])
-      unless session[:ctime] && (Time.now.utc.to_i - session[:ctime].to_i <= Setting.session_lifetime.to_i * 60)
-        return true
-      end
-    end
-    if Setting.session_timeout?
-      unless session[:atime] && (Time.now.utc.to_i - session[:atime].to_i <= Setting.session_timeout.to_i * 60)
-        return true
-      end
-    end
-    false
   end
 
   def start_user_session(user)
     session[:user_id] = user.id
-    session[:ctime] = Time.now.utc.to_i
+    session[:tk] = user.generate_session_token
-    session[:atime] = Time.now.utc.to_i
     if user.must_change_password?
       session[:pwd] = '1'
     end
@@ -149,18 +136,6 @@ class ApplicationController < ActionController::Base
     user
   end
 
-  def force_logout_if_password_changed
-    passwd_changed_on = User.current.passwd_changed_on || Time.at(0)
-    # Make sure we force logout only for web browser sessions, not API calls
-    # if the password was changed after the session creation.
-    if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i
-      reset_session
-      set_localization
-      flash[:error] = l(:error_session_expired)
-      redirect_to signin_url
-    end
-  end
-
   def autologin_cookie_name
     Redmine::Configuration['autologin_cookie_name'].presence || 'autologin'
   end
@@ -193,6 +168,7 @@ class ApplicationController < ActionController::Base
     if User.current.logged?
       cookies.delete(autologin_cookie_name)
       Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin'])
+      Token.delete_all(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]])
       self.logged_user = nil
     end
   end

app/controllers/my_controller.rb

@@ -103,9 +103,8 @@ class MyController < ApplicationController
         @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
         @user.must_change_passwd = false
         if @user.save
-          # Reset the session creation time to not log out this session on next
+          # The session token was destroyed by the password change, generate a new one
-          # request due to ApplicationController#force_logout_if_password_changed
+          session[:tk] = @user.generate_session_token
-          session[:ctime] = User.current.passwd_changed_on.utc.to_i
           flash[:notice] = l(:notice_account_password_updated)
           redirect_to my_account_path
         end

app/models/token.rb

@@ -36,7 +36,7 @@ class Token < ActiveRecord::Base
 
   # Delete all expired tokens
   def self.destroy_expired
-    Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api'], Time.now - validity_time).delete_all
+    Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api', 'session'], Time.now - validity_time).delete_all
   end
 
   # Returns the active user who owns the key for the given action
@@ -79,7 +79,15 @@ class Token < ActiveRecord::Base
   # Removes obsolete tokens (same user and action)
   def delete_previous_tokens
     if user
-      Token.where(:user_id => user.id, :action => action).delete_all
+      scope = Token.where(:user_id => user.id, :action => action)
+      if action == 'session'
+        ids = scope.order(:updated_on => :desc).offset(9).ids
+        if ids.any?
+          Token.delete(ids)
+        end
+      else
+        scope.delete_all
+      end
     end
   end
 end

app/models/user.rb

@@ -394,6 +394,26 @@ class User < Principal
     api_token.value
   end
 
+  # Generates a new session token and returns its value
+  def generate_session_token
+    token = Token.create!(:user_id => id, :action => 'session')
+    token.value
+  end
+
+  # Returns true if token is a valid session token for the user whose id is user_id
+  def self.verify_session_token(user_id, token)
+    return false if user_id.blank? || token.blank?
+
+    scope = Token.where(:user_id => user_id, :value => token.to_s, :action => 'session')
+    if Setting.session_lifetime?
+      scope = scope.where("created_on > ?", Setting.session_lifetime.to_i.minutes.ago)
+    end
+    if Setting.session_timeout?
+      scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago)
+    end
+    scope.update_all(:updated_on => Time.now) == 1
+  end
+
   # Return an array of project ids for which the user has explicitly turned mail notifications on
   def notified_projects_ids
     @notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id)
@@ -764,8 +784,8 @@ class User < Principal
   # This helps to keep the account secure in case the associated email account
   # was compromised.
   def destroy_tokens
-    if hashed_password_changed?
+    if hashed_password_changed? || (status_changed? && !active?)
-      tokens = ['recovery', 'autologin']
+      tokens = ['recovery', 'autologin', 'session']
       Token.where(:user_id => id, :action => tokens).delete_all
     end
   end

config/environments/test.rb

@@ -26,6 +26,9 @@ Rails.application.configure do
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = false
 
+  # Disable sessions verifications in test environment.
+  config.redmine_verify_sessions = false
+
   # Print deprecation notices to stderr and the Rails logger.
   config.active_support.deprecation = [:stderr, :log]
 

db/migrate/20151024082034_add_tokens_updated_on.rb

@@ -0,0 +1,10 @@
+class AddTokensUpdatedOn < ActiveRecord::Migration
+  def self.up
+    add_column :tokens, :updated_on, :timestamp
+    Token.update_all("updated_on = created_on")
+  end
+
+  def self.down
+    remove_column :tokens, :updated_on
+  end
+end

test/functional/my_controller_test.rb

@@ -185,18 +185,6 @@ class MyControllerTest < ActionController::TestCase
     assert User.try_to_login('jsmith', 'secret123')
   end
 
-  def test_change_password_kills_other_sessions
-    @request.session[:ctime] = (Time.now - 30.minutes).utc.to_i
-
-    jsmith = User.find(2)
-    jsmith.passwd_changed_on = Time.now
-    jsmith.save!
-
-    get 'account'
-    assert_response 302
-    assert flash[:error].match(/Your session has expired/)
-  end
-
   def test_change_password_should_redirect_if_user_cannot_change_its_password
     User.find(2).update_attribute(:auth_source_id, 1)
 

test/functional/sessions_controller_test.rb

@@ -0,0 +1,138 @@
+# Redmine - project management software
+# Copyright (C) 2006-2015  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require File.expand_path('../../test_helper', __FILE__)
+
+class SessionsControllerTest < ActionController::TestCase
+  include Redmine::I18n
+  tests WelcomeController
+
+  fixtures :users, :email_addresses
+
+  def setup
+    Rails.application.config.redmine_verify_sessions = true
+  end
+
+  def teardown
+    Rails.application.config.redmine_verify_sessions = false
+  end
+
+  def test_session_token_should_be_updated
+    created = 10.hours.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    get :index, {}, {:user_id => 2, :tk => token.value}
+    assert_response :success
+    token.reload
+    assert_equal created, token.created_on
+    assert_not_equal created, token.updated_on
+    assert token.updated_on > created
+  end
+
+  def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
+    created = 2.years.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    with_settings :session_lifetime => '0', :session_timeout => '0' do
+      get :index, {}, {:user_id => 2, :tk => token.value}
+      assert_response :success
+    end
+  end
+
+  def test_user_session_without_token_should_be_reset
+    get :index, {}, {:user_id => 2}
+    assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+  end
+
+  def test_expired_user_session_should_be_reset_if_lifetime_enabled
+    created = 2.days.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    with_settings :session_timeout => '720' do
+      get :index, {}, {:user_id => 2, :tk => token.value}
+      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+    end
+  end
+
+  def test_valid_user_session_should_not_be_reset_if_lifetime_enabled
+    created = 3.hours.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    with_settings :session_timeout => '720' do
+      get :index, {}, {:user_id => 2, :tk => token.value}
+      assert_response :success
+    end
+  end
+
+  def test_expired_user_session_should_be_reset_if_timeout_enabled
+    created = 4.hours.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    with_settings :session_timeout => '60' do
+      get :index, {}, {:user_id => 2, :tk => token.value}
+      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+    end
+  end
+
+  def test_valid_user_session_should_not_be_reset_if_timeout_enabled
+    created = 10.minutes.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    with_settings :session_timeout => '60' do
+      get :index, {}, {:user_id => 2, :tk => token.value}
+      assert_response :success
+    end
+  end
+
+  def test_expired_user_session_should_be_restarted_if_autologin
+    created = 2.hours.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do
+      autologin_token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago)
+      @request.cookies['autologin'] = autologin_token.value
+
+      get :index, {}, {:user_id => 2, :tk => token.value}
+      assert_equal 2, session[:user_id]
+      assert_response :success
+      assert_not_equal token.value, session[:tk]
+    end
+  end
+
+  def test_expired_user_session_should_set_locale
+    set_language_if_valid 'it'
+    user = User.find(2)
+    user.language = 'fr'
+    user.save!
+    created = 4.hours.ago
+    token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+    with_settings :session_timeout => '60' do
+      get :index, {}, {:user_id => user.id, :tk => token.value}
+      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+      assert_include "Veuillez vous reconnecter", flash[:error]
+      assert_equal :fr, current_language
+    end
+  end
+
+  def test_anonymous_session_should_not_be_reset
+    with_settings :session_lifetime => '720', :session_timeout => '60' do
+      get :index
+      assert_response :success
+    end
+  end
+end

test/functional/sessions_test.rb

@@ -1,132 +0,0 @@
-# Redmine - project management software
-# Copyright (C) 2006-2015  Jean-Philippe Lang
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
-require File.expand_path('../../test_helper', __FILE__)
-
-class SessionStartTest < ActionController::TestCase
-  tests AccountController
-
-  fixtures :users
-
-  def test_login_should_set_session_timestamps
-    post :login, :username => 'jsmith', :password => 'jsmith'
-    assert_response 302
-    assert_equal 2, session[:user_id]
-    assert_not_nil session[:ctime]
-    assert_not_nil session[:atime]
-  end
-end
-
-class SessionsTest < ActionController::TestCase
-  include Redmine::I18n
-  tests WelcomeController
-
-  fixtures :users, :email_addresses
-
-  def test_atime_from_user_session_should_be_updated
-    created = 2.hours.ago.utc.to_i
-    get :index, {}, {:user_id => 2, :ctime => created, :atime => created}
-    assert_response :success
-    assert_equal created, session[:ctime]
-    assert_not_equal created, session[:atime]
-    assert session[:atime] > created
-  end
-
-  def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
-    with_settings :session_lifetime => '0', :session_timeout => '0' do
-      get :index, {}, {:user_id => 2}
-      assert_response :success
-    end
-  end
-
-  def test_user_session_without_ctime_should_be_reset_if_lifetime_enabled
-    with_settings :session_lifetime => '720' do
-      get :index, {}, {:user_id => 2}
-      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
-    end
-  end
-
-  def test_user_session_with_expired_ctime_should_be_reset_if_lifetime_enabled
-    with_settings :session_timeout => '720' do
-      get :index, {}, {:user_id => 2, :atime => 2.days.ago.utc.to_i}
-      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
-    end
-  end
-
-  def test_user_session_with_valid_ctime_should_not_be_reset_if_lifetime_enabled
-    with_settings :session_timeout => '720' do
-      get :index, {}, {:user_id => 2, :atime => 3.hours.ago.utc.to_i}
-      assert_response :success
-    end
-  end
-
-  def test_user_session_without_atime_should_be_reset_if_timeout_enabled
-    with_settings :session_timeout => '60' do
-      get :index, {}, {:user_id => 2}
-      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
-    end
-  end
-
-  def test_user_session_with_expired_atime_should_be_reset_if_timeout_enabled
-    with_settings :session_timeout => '60' do
-      get :index, {}, {:user_id => 2, :atime => 4.hours.ago.utc.to_i}
-      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
-    end
-  end
-
-  def test_user_session_with_valid_atime_should_not_be_reset_if_timeout_enabled
-    with_settings :session_timeout => '60' do
-      get :index, {}, {:user_id => 2, :atime => 10.minutes.ago.utc.to_i}
-      assert_response :success
-    end
-  end
-
-  def test_expired_user_session_should_be_restarted_if_autologin
-    with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do
-      token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago)
-      @request.cookies['autologin'] = token.value
-      created = 2.hours.ago.utc.to_i
-
-      get :index, {}, {:user_id => 2, :ctime => created, :atime => created}
-      assert_equal 2, session[:user_id]
-      assert_response :success
-      assert_not_equal created, session[:ctime]
-      assert session[:ctime] >= created
-    end
-  end
-
-  def test_expired_user_session_should_set_locale
-    set_language_if_valid 'it'
-    user = User.find(2)
-    user.language = 'fr'
-    user.save!
-
-    with_settings :session_timeout => '60' do
-      get :index, {}, {:user_id => user.id, :atime => 4.hours.ago.utc.to_i}
-      assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
-      assert_include "Veuillez vous reconnecter", flash[:error]
-      assert_equal :fr, current_language
-    end
-  end
-
-  def test_anonymous_session_should_not_be_reset
-    with_settings :session_lifetime => '720', :session_timeout => '60' do
-      get :index
-      assert_response :success
-    end
-  end
-end

test/integration/account_test.rb

@@ -30,35 +30,47 @@ class AccountTest < Redmine::IntegrationTest
     assert_template "my/account"
   end
 
+  def test_login_should_set_session_token
+    assert_difference 'Token.count' do
+      log_user('jsmith', 'jsmith')
+
+      assert_equal 2, session[:user_id]
+      assert_not_nil session[:tk]
+    end
+  end
+
   def test_autologin
     user = User.find(1)
-    Setting.autologin = "7"
     Token.delete_all
 
-    # User logs in with 'autologin' checked
+    with_settings :autologin => '7' do
-    post '/login', :username => user.login, :password => 'admin', :autologin => 1
+      assert_difference 'Token.count', 2 do
-    assert_redirected_to '/my/page'
+        # User logs in with 'autologin' checked
-    token = Token.first
+        post '/login', :username => user.login, :password => 'admin', :autologin => 1
-    assert_not_nil token
+        assert_redirected_to '/my/page'
-    assert_equal user, token.user
+      end
-    assert_equal 'autologin', token.action
+      token = Token.where(:action => 'autologin').order(:id => :desc).first
-    assert_equal user.id, session[:user_id]
+      assert_not_nil token
-    assert_equal token.value, cookies['autologin']
+      assert_equal user, token.user
-
+      assert_equal 'autologin', token.action
-    # Session is cleared
+      assert_equal user.id, session[:user_id]
-    reset!
+      assert_equal token.value, cookies['autologin']
-    User.current = nil
+  
-    # Clears user's last login timestamp
+      # Session is cleared
-    user.update_attribute :last_login_on, nil
+      reset!
-    assert_nil user.reload.last_login_on
+      User.current = nil
-
+      # Clears user's last login timestamp
-    # User comes back with user's autologin cookie
+      user.update_attribute :last_login_on, nil
-    cookies[:autologin] = token.value
+      assert_nil user.reload.last_login_on
-    get '/my/page'
+  
-    assert_response :success
+      # User comes back with user's autologin cookie
-    assert_template 'my/page'
+      cookies[:autologin] = token.value
-    assert_equal user.id, session[:user_id]
+      get '/my/page'
-    assert_not_nil user.reload.last_login_on
+      assert_response :success
+      assert_template 'my/page'
+      assert_equal user.id, session[:user_id]
+      assert_not_nil user.reload.last_login_on
+    end
   end
 
   def test_autologin_should_use_autologin_cookie_name
@@ -69,7 +81,7 @@ class AccountTest < Redmine::IntegrationTest
     Redmine::Configuration.stubs(:[]).with('sudo_mode_timeout').returns(15)
 
     with_settings :autologin => '7' do
-      assert_difference 'Token.count' do
+      assert_difference 'Token.count', 2 do
         post '/login', :username => 'admin', :password => 'admin', :autologin => 1
         assert_response 302
       end
@@ -82,7 +94,7 @@ class AccountTest < Redmine::IntegrationTest
       get '/my/page'
       assert_response :success
 
-      assert_difference 'Token.count', -1 do
+      assert_difference 'Token.count', -2 do
         post '/logout'
       end
       assert cookies['custom_autologin'].blank?
@@ -119,7 +131,7 @@ class AccountTest < Redmine::IntegrationTest
     assert_equal 'Password was successfully updated.', flash[:notice]
 
     log_user('jsmith', 'newpass123')
-    assert_equal 0, Token.count
+    assert_equal false, Token.exists?(token.id), "Password recovery token was not deleted"
   end
 
   def test_user_with_must_change_passwd_should_be_forced_to_change_its_password

test/integration/sessions_test.rb

@@ -0,0 +1,97 @@
+# Redmine - project management software
+# Copyright (C) 2006-2015  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require File.expand_path('../../test_helper', __FILE__)
+
+class SessionsTest < Redmine::IntegrationTest
+  fixtures :users, :email_addresses, :roles
+
+  def setup
+    Rails.application.config.redmine_verify_sessions = true
+  end
+
+  def teardown
+    Rails.application.config.redmine_verify_sessions = false
+  end
+
+  def test_change_password_kills_sessions
+    log_user('jsmith', 'jsmith')
+
+    jsmith = User.find(2)
+    jsmith.password = "somenewpassword"
+    jsmith.save!
+
+    get '/my/account'
+    assert_response 302
+    assert flash[:error].match(/Your session has expired/)
+  end
+
+  def test_lock_user_kills_sessions
+    log_user('jsmith', 'jsmith')
+
+    jsmith = User.find(2)
+    assert jsmith.lock!
+    assert jsmith.activate!
+
+    get '/my/account'
+    assert_response 302
+    assert flash[:error].match(/Your session has expired/)
+  end
+
+  def test_update_user_does_not_kill_sessions
+    log_user('jsmith', 'jsmith')
+
+    jsmith = User.find(2)
+    jsmith.firstname = 'Robert'
+    jsmith.save!
+
+    get '/my/account'
+    assert_response 200
+  end
+
+  def test_change_password_generates_a_new_token_for_current_session
+    log_user('jsmith', 'jsmith')
+    assert_not_nil token = session[:tk]
+
+    get '/my/password'
+    assert_response 200
+    post '/my/password', :password => 'jsmith',
+                         :new_password => 'secret123',
+                         :new_password_confirmation => 'secret123'
+    assert_response 302
+    assert_not_equal token, session[:tk]
+
+    get '/my/account'
+    assert_response 200
+  end
+
+  def test_simultaneous_sessions_should_be_valid
+    first = open_session do |session|
+      session.post "/login", :username => 'jsmith', :password => 'jsmith'
+    end
+    other = open_session do |session|
+      session.post "/login", :username => 'jsmith', :password => 'jsmith'
+    end
+
+    first.get '/my/account'
+    assert_equal 200, first.response.response_code
+    first.post '/logout'
+
+    other.get '/my/account'
+    assert_equal 200, other.response.response_code
+  end
+end

test/unit/token_test.rb

@@ -36,6 +36,19 @@ class TokenTest < ActiveSupport::TestCase
     assert  Token.exists?(t2.id)
   end
 
+  def test_create_session_token_should_keep_last_10_tokens
+    Token.delete_all
+    user = User.find(1)
+
+    assert_difference 'Token.count', 10 do
+      10.times { Token.create!(:user => user, :action => 'session') }
+    end
+
+    assert_no_difference 'Token.count' do
+      Token.create!(:user => user, :action => 'session')
+    end
+  end
+
   def test_destroy_expired_should_not_destroy_feeds_and_api_tokens
     Token.delete_all