How to get a legit ActionController with a nil @session param ... read on

A browser sends a request (/main/index) so ROR creates an instance of
main_controller and invokes the index action on it. main_controller has
registered ``audit" as a before_filter. ``audit" is called first before
``index". so far so good.

def audit() does this:

        // the login_controller handles the login page and
        // knows whether or not there's a valid login by
        // inspecting the session param in a certain way
        // which it encapsulates.
        // remember: audit is a method inside main_controller
        c =
        if c.valid_user == true // if there's a valid login
           . . .

The problem: when c.valid_user (that is LoginController.valid_user via
the `c' object) attempts to read from it's @session param it is nil.

Conclusion: creates a new controller but
its @session param is nil.
Implication: During the normal course of routing action calls, the ROR
framework creates your controller on your behalf via its class method
.new and, at a later time, also sets the session variable for your.

The design goal here is simple: delegation: I can have exactly one
class encapsulate all the authentication stuff. However my design is
broken because of the unexpected problem of not accessing the @session