[Catalyst] make test fails with C:P:Session:State::Cookie

Emanuele Zeppieri ema_zep at libero.it
Fri Sep 7 07:43:24 GMT 2007

Daniel McBrearty wrote:

> ok, i searched the list but stupidly didn't look at cpan bugtracker
> ... it is a reported bug. in fact there seem to be several issues with
> the live_app.t in 0.07
> what's the implication? sessions will time out even if though the user
> has revisited?

Exactly (because the cookie expire time is not updated, despite the 
accesses - so you have a fixed-duration session).

This is the documented behaviour though:

(see: session_expires $reset)

But then we have another problem (or two):

first, the session_expires method really does not take any argument (any 
argument passed to it is simply ignored - have a look at the source).
This may seem at first only a documentation bug, but it implies that any 
time you call session_expires(), even with no arguments (for example 
only to get the session expire time), you have this undocumented 
side-effect which extends the session duration.

Second, for fixed duration sessions, the session expiration control 
relies solely on the presence of the cookie sent by the browser: so a 
user can turn a fixed duration session into an extended session simply 
by editing the cookie expire time (this is a security bug IMO).

I've got a fix for these problems, which basically just restores what 
the docs have always said (so it should break no existing code) and it 
also eliminates the security bug, but I'm waiting for the author to see 
if he approves that approach or if he prefers to get rid of the fixed 
duration sessions at all and have only extended sessions by default (as 
the mentioned live_app.t test seems to imply).

(Actually, the current code seems to be half-way between this two 
choices, so to say...)

Anyway, if you have time, any further research would be interesting.


More information about the Catalyst mailing list