[Catalyst] Duplicate session ids

[mla]

Bill Moseley wrote:
> On Sat, May 26, 2007 at 04:08:48PM -0400, Perrin Harkins wrote:
>> On 5/26/07, Bill Moseley <moseley at hank.org> wrote:
>>> Perhaps an easier way to show the problem with duplicate created
>>> sessions would help.
>> Do you mean duplicate or multiple?  The session ID generation code in
>> Catalyst::Plugin::Session does look like it could generate duplicates
>> to me, but that would be rare and unpredictable.
> 
> Ya, sorry.  Multiple.  It's generating one session id, storing values
> under that ID, then creating a new session id and then sending that as
> the cookie.  So when the browser returns that cookie none of the
> session data is there.

I think I see what's happening.

First, it's the same behavior with Session::Store::File.

In Catalyst->handle_request, there's this (debugging added):

   my $c = $class->prepare(@arguments);
   $c->dispatch;
   $c->log->debug("SID Before: " . $c->_sessionid);
   $status = $c->finalize;
   $c->log->debug("SID After: " . $c->_sessionid);

You'll see that the session id changes after the call
to finalize.

   [debug] SID Before: dedcc0cbe98a54a4cb91513d7fc57ac5cabf20ac
   [debug] SID After: a069c84ee4004a21e50faa91f77d3278819c5704

The problem is that the finalize() process calls the
Catalyst::Plugin::Session->finalize_session before finalize_cookies()
is called.

And finalize_session() calls $c->_clear_session_instance_data after
saving.

So by the time your finalize_cookies() is called, the session has
been saved and cleared. When you call $c->session in finalize_cookies(),
it's unaware that the session ever existed, so a new one is created.

I don't know what the proper fix is. I'm still trying to understand
the whole process flow. Maybe $c->session should raise an exception
if it's already been saved. And then should the session try to finalize
later (dunno if that's even possible).

Maurice