[Catalyst] Session trouble
Bill Moseley
moseley at hank.org
Mon Jul 16 18:55:42 GMT 2007
On Mon, Jul 16, 2007 at 07:20:36PM +0300, Yuval Kogman wrote:
> Hi,
>
> no update yet, been terribly busy (the client is not being very nice
> to us).
>
> If you need comaint to release yourself let me know. You should have
> commit access, right?
I can take another stab at it -- I had spent a few hours throwing
warn and cluck messages into the code to try and figure out what was
going on. My eyes started to glaze over after a while.
I like how you refactored the plugins quite a bit. But, I wish there
were comments in the code to give a little context. That would make
debugging by people unfamiliar with the code easier. I also find NEXT
makes it a bit more complicated when trying to follow stack traces.
Would you have a few minutes to at least verify if you can reproduce
the problem with the test application I sent? I'd like to rule out any
thing that might be due to my environment.
What seems to be happening (and this was happening with a previous bit
of code from a week or two back) was that I was accessing the session
after it had been cleared/reset at the "end" of finalize (or something
like that). So, that was creating a new sessionid and thus storing
the session data under a different id than the id used in the cookie.
This is the code that's getting me now:
sub calculate_session_cookie_expires {
my $c = shift;
return $c->session->{remember_me}
? $c->session_expires
: $c->NEXT::calculate_session_cookie_expires;
}
I think the quick fix would be to stuff the remember_me flag in the
stash earlier in the request and look at the stash instead of the
session (to avoid creating a new sessionid by calling $c->session).
I thought it might be a matter or moving
$c->_clear_session_instance_data later in the request cycle, but it
seems that's not really the problem. I was seeing multiple sessions
created (and cleared) in the case of a request with a cookie with an
id for an expired session -- which doesn't seem right.
Oh, and to note again: I think the behavior of dieing on invalid
session id format is not right. The id should just be ignored in that
case and a new cookie sent. If someone ends up with a bad cookie (or
the cookie format changes) could result in a lockout.
Thanks,
--
Bill Moseley
moseley at hank.org
More information about the Catalyst
mailing list