[Catalyst] Unnecessary session writes

Bill Moseley moseley at hank.org
Tue Dec 30 00:12:22 GMT 2008

On Mon, Dec 29, 2008 at 06:10:34PM +0000, Tomas Doran wrote:
> Session handling could do with refactoring as-per the authentication  
> plugins, so that the store and state were not plugins themselves, this 
> would make things a lot 'nicer'.
> However, in the shorter term, providing people with a way to change the 
> default behaviors would go a long way.

I'll try and find some time to look at it.  There's other issues --
I've had a few problems with the session code over time, and discussed
often with nothingmuch and posted a few orphaned patches.

Two I just came across in the last week are it throwing an exception on
invalid session id (instead of just ignoring like a missing one), and
the "cookie_secure" feature that indeed sets the cookie as "secure"
but doesn't prevent it from being sent in a non-SSL session back to
the client, kind of defeating the purpose.

Bill Moseley
moseley at hank.org
Sent from my iMutt

More information about the Catalyst mailing list