[Catalyst] Session collisions

Jim Spath jspath at pangeamedia.com
Fri Jul 11 15:47:03 BST 2008

We've gotten some reports in one of our Catalyst applications that users 
are "swapping places".  ie, they are suddenly logged in as another user, 
or someone has accessed their account.  I've done some quick looking and 
don't see anything unusual.

I was wondering if it could possibly be session key collisions?  Have 
any of you experienced this?

I'm using the following session plugins:

  Session (0.13)
  Session::Store::Memcached (0.2 current)
  Session::State::Cookie (0.06)

They are not the most current versions, although I don't see anything in 
the changelog relating to session collisions.

Also, does anyone have advice on how to institute some debugging to try 
to catch these session collisions?  I was thinking of storing their 
username in a separate cookie, and checking this cookie when we load a 
session to make sure that they match, similarly to how the 
verify_address functionality works.


More information about the Catalyst mailing list