[Catalyst] make test fails with C:P:Session:State::Cookie
ema_zep at libero.it
Fri Sep 7 07:43:24 GMT 2007
Daniel McBrearty wrote:
> ok, i searched the list but stupidly didn't look at cpan bugtracker
> ... it is a reported bug. in fact there seem to be several issues with
> the live_app.t in 0.07
> what's the implication? sessions will time out even if though the user
> has revisited?
Exactly (because the cookie expire time is not updated, despite the
accesses - so you have a fixed-duration session).
This is the documented behaviour though:
(see: session_expires $reset)
But then we have another problem (or two):
first, the session_expires method really does not take any argument (any
argument passed to it is simply ignored - have a look at the source).
This may seem at first only a documentation bug, but it implies that any
time you call session_expires(), even with no arguments (for example
only to get the session expire time), you have this undocumented
side-effect which extends the session duration.
Second, for fixed duration sessions, the session expiration control
relies solely on the presence of the cookie sent by the browser: so a
user can turn a fixed duration session into an extended session simply
by editing the cookie expire time (this is a security bug IMO).
I've got a fix for these problems, which basically just restores what
the docs have always said (so it should break no existing code) and it
also eliminates the security bug, but I'm waiting for the author to see
if he approves that approach or if he prefers to get rid of the fixed
duration sessions at all and have only extended sessions by default (as
the mentioned live_app.t test seems to imply).
(Actually, the current code seems to be half-way between this two
choices, so to say...)
Anyway, if you have time, any further research would be interesting.
More information about the Catalyst