[Catalyst] Session problems with IE and cookies

Octavian Rasnita orasnita at gmail.com
Thu Mar 1 14:35:30 GMT 2007 

I am not using 2 cookies, but I think the problem is related on how the 
application is sending the cookies.

I thought it is an IE bug, but now I am not so sure anymore, because I have 
made some more tests:

I have set the session to expire after 1 minute, and the cookie expiration 
time to 0 (to be a session cookie).
In this case, no cookie should be saved on the hard disk of my client 
computer, but kept only in memory.

If I click a link after 1 minute with no activity on the site, I can see 
that the server is sending a cookie that has an expiry time, even though 
I've set it to be a session cookie. It sets the expiry time to the present 
time, so it shouldn't be sent back to the server by the browser.
However, the time of the server and the time of the client computer don't 
match always.

So if I tried to login again immediately after I've seen that I am logged 
out, the browser sends the cookie to the server.

Now I don't know what is Catalyst doing exactly.

I think it should see that there is a session that corresponds to that 
cookie, and also see that that session has expired, and it should delete the 
session and create a new one. But the application just don't allow access, 
even though the login was successfully. It doesn't create the $c->user 
object, so the login form is presented to the user.

If I let more than 1 minute to pass and I don't try to login, I am able to 
login.

So I don't know how the session storage works, or better said, how the 
session files are deleted.
I think that they are deleted (or re-created) only after 1 or 2 minutes, and 
not immediately they are expired.

This is what I found, but I don't know for sure what is the reasons of 
happening this way.

I am using:
Session
Session::State::Cookie
Session::Store::File
Authentication
Authentication::Store::DBIC
Authentication::Credential::Password
Authorization::Roles

Of course, if I delete the cookie before trying to login, the browser 
doesn't send it anymore, and the login goes fine.

Do you have any idea why the cookie is sent by the application with an 
expiry date instead of sending a session cookie without it?

Octavian

----- Original Message ----- 
From: "Michael Alan Dorman" <mdorman at tendentious.org>
To: <catalyst at lists.rawmode.org>
Sent: Thursday, March 01, 2007 2:11 PM
Subject: Re: [Catalyst] Session problems with IE and cookies


> On Wed, 28 Feb 2007 15:31:39 +0200
> "Octavian Rasnita" <orasnita at gmail.com> wrote:
>
>> I have created a site using Catalyst, and I access it with IE, but I
>> can login with no issues.
>> However, 2 customers told me that they can login on the site from one
>> location, but they cannot do it from their work place.
>> I don't know, but it might be the same bug, since after the login,
>> the program is making an external redirection, and the cookies are
>> used...
>>
>> Anyway, if somebody will find what's the problem, please write on the
>> list.
>
> I have seen this problem.  I finally fixed it for my application late
> last year, after an embarrassingly long time. In my application the
> sequence of events was:
>
> * user goes to main site, foo.org
>
> * user is issued a cookie, from foo.org
>
> * user submits form, is redirected to bar.foo.org
>
> * user is issued another cookie, from bar.foo.org
>
> * IE begins sending both cookies to bar.foo.org.
>
> Depending on which cookie appears last, one or the other will be
> "active"; if it's the one from foo.org instead of bar.foo.org,
> typically you lose, because the session ID isn't known to bar.foo.org.
>
> I thought I was giving the right domain= values to make sure that
> didn't happen; I can't tell if the problem stems from me being too
> stupid to read the cookie spec right, or the IE team.  It's not a spec
> that, in my opinion, is without some ambiguity.
>
> Anyway, the situation appeared intermittently for years.  I finally got
> a trace from a single client on all hosts involved that let me see where
> the "mystery key" that was confusing bar.foo.org originated.
>
> The solution I eventually adopted was to also delete the session cookie
> for foo.org at the same time as I did the external redirect to
> bar.foo.org. I haven't heard of the issue popping up again since.
>
> Mike.
>
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: 
> http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/

More information about the Catalyst mailing list