[Catalyst] Still weird behavior in sessions and cookies (Hey Nothingmuch:!)

Bill Moseley moseley at hank.org
Thu Dec 6 01:08:33 GMT 2007 

Well, I only got as far as a test case that fails on this.  The test
is on Session::State::Cookie, but I do not believe that's where the
problem is -- just where it shows up.

The issue comes up when 1) an expired session is sent in the request
and 2) the session is accessed late in the request.  For example, when
implementing a "remember me" feature by overriding
calculate_session_cookie_expires().

So, it's not unexpected that this would not show up very often -- the
cookies often expire with the session.  But, if you have session
cookies and someone leaves their browser open and the session expires
on the server then, as was in my case, it's impossible to log in
without removing the cookie.  I suppose clock differences could
trigger it, too.

When an invalid/expired session is sent in the request what happens is
two session ids are created -- and one is used for storing the session
info, and the other is returned in the cookie.  That's why it's
impossible to complete the login process.


When I wrote my test I just had this, which was enough to trigger it:

    sub calculate_session_cookie_expires {
        my $c = shift;
        $c->session;
        return $c->NEXT::calculate_session_cookie_expires;
    }

I though I'd be smart and write it like this so I could test both with
and without the $c->session call.

    sub calculate_session_cookie_expires {
        my $c = shift;
        if ( $c->stash->{fail} ) {
            warn "I'm hit!\n";
            $c->session;
        }
        return $c->NEXT::calculate_session_cookie_expires;
    }

And that never fails.  Huh.  Even if the stash is set the test doesn't
fail.

Anyway, I'll attach a failing test for Session::State::Cookie.  This
is all against svn.

The last time I posted a failing test it never got applied.  I have
commit to some items, but I can't remember what password I sent to
mst, and what commit access I have.  So, it's an attachment, instead.



-- 
Bill Moseley
moseley at hank.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: session_destroyed.t
Type: application/x-troff
Size: 4376 bytes
Desc: not available
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20071205/3e7b69bb/session_destroyed.t

More information about the Catalyst mailing list