[Catalyst] Session collisions

Ash Berlin ash_cpan at firemirror.com
Fri Jul 11 16:02:08 BST 2008

On 11 Jul 2008, at 15:47, Jim Spath wrote:

> We've gotten some reports in one of our Catalyst applications that  
> users are "swapping places".  ie, they are suddenly logged in as  
> another user, or someone has accessed their account.  I've done some  
> quick looking and don't see anything unusual.
> I was wondering if it could possibly be session key collisions?   
> Have any of you experienced this?

Yes, I've had similar reports from IE users. Let me work out what I  
changed..... Ah yes - it was an over zealous proxy sitting in the  

sub end : ActionClass('RenderView') {
     my ($self, $c) = @_;

     $c->res->header(Pragma => 'no-cahce');
     $c->res->header('Cache-Control' => "no-cache, must-revalidate");

was how I solved my problem. Of course this was for a classroom of  
kids so it was easier to work out since I knew they'd be behind the  
same proxy.

> I'm using the following session plugins:
> Session (0.13)
> Session::Store::Memcached (0.2 current)
> Session::State::Cookie (0.06)
> They are not the most current versions, although I don't see  
> anything in the changelog relating to session collisions.
> Also, does anyone have advice on how to institute some debugging to  
> try to catch these session collisions?  I was thinking of storing  
> their username in a separate cookie, and checking this cookie when  
> we load a session to make sure that they match, similarly to how the  
> verify_address functionality works.
> Thanks!
> Jim

(I was using Cache::FastMmap at the time)


More information about the Catalyst mailing list