[Catalyst] Unnecessary session writes

Tomas Doran bobtfish at bobtfish.net
Tue Dec 16 18:20:43 GMT 2008

On 10 Dec 2008, at 22:25, Bill Moseley wrote:

> When Catalyst::Session fetches an existing session it records its
> "signature" which it then compare with the session data at the end
> of the request to decide if the session should be written.

> So, if you look at the session every request, for example:
>     # See if user has selected a language preference
>     my $language = $c->session->{language} || 'en';
> Then if a session doesn't exist it will generate a new session id and
> store the empty session to the database (or whatever store you have).
> A bot could have fun inserting rows into your database.

That's not cool :(

> I'm using this instead:

That looks sensible.

Do you fancy writing a test for the issue so we can actually prove it  
is gone?


More information about the Catalyst mailing list