[Catalyst] make test fails with C:P:Session:State::Cookie

Daniel McBrearty danielmcbrearty at gmail.com
Fri Sep 7 09:24:05 GMT 2007

Hi Emanuele

thanks for the response. I took a look with the debugger this morning
but didn't have too much time ... you are obviously much further with
this than me.

whatever happens, the code should at least be fixed enough to give
some sensible default behaviour, along with a docs patch, and be able
to get through tests. For my needs, your fix would be fine. If it is
no worse than the previous state of affairs, it should be used IMO

the current situation is that "CPAN Task::Catalyst" DIES because of
this. so it ought to be high priority to at least fix that, IMO

could you post a patch for the solution that you have?



On 9/7/07, Emanuele Zeppieri <ema_zep at libero.it> wrote:
> Daniel McBrearty wrote:
> > ok, i searched the list but stupidly didn't look at cpan bugtracker
> > ... it is a reported bug. in fact there seem to be several issues with
> > the live_app.t in 0.07
> >
> > what's the implication? sessions will time out even if though the user
> > has revisited?
> Exactly (because the cookie expire time is not updated, despite the
> accesses - so you have a fixed-duration session).
> This is the documented behaviour though:
> http://search.cpan.org/~nuffin/Catalyst-Plugin-Session-0.18/lib/Catalyst/Plugin/Session.pm#METHODS
> (see: session_expires $reset)
> But then we have another problem (or two):
> first, the session_expires method really does not take any argument (any
> argument passed to it is simply ignored - have a look at the source).
> This may seem at first only a documentation bug, but it implies that any
> time you call session_expires(), even with no arguments (for example
> only to get the session expire time), you have this undocumented
> side-effect which extends the session duration.
> Second, for fixed duration sessions, the session expiration control
> relies solely on the presence of the cookie sent by the browser: so a
> user can turn a fixed duration session into an extended session simply
> by editing the cookie expire time (this is a security bug IMO).
> I've got a fix for these problems, which basically just restores what
> the docs have always said (so it should break no existing code) and it
> also eliminates the security bug, but I'm waiting for the author to see
> if he approves that approach or if he prefers to get rid of the fixed
> duration sessions at all and have only extended sessions by default (as
> the mentioned live_app.t test seems to imply).
> (Actually, the current code seems to be half-way between this two
> choices, so to say...)
> Anyway, if you have time, any further research would be interesting.
> Cheers,
> Emanuele.
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/

Daniel McBrearty
email : danielmcbrearty at gmail.com
find me on linkedin and facebook
BTW : 0873928131

More information about the Catalyst mailing list