[Catalyst] Session collisions
Ash Berlin
ash_cpan at firemirror.com
Fri Jul 11 16:02:08 BST 2008
On 11 Jul 2008, at 15:47, Jim Spath wrote:
> We've gotten some reports in one of our Catalyst applications that
> users are "swapping places". ie, they are suddenly logged in as
> another user, or someone has accessed their account. I've done some
> quick looking and don't see anything unusual.
>
> I was wondering if it could possibly be session key collisions?
> Have any of you experienced this?
Yes, I've had similar reports from IE users. Let me work out what I
changed..... Ah yes - it was an over zealous proxy sitting in the
middle.
sub end : ActionClass('RenderView') {
my ($self, $c) = @_;
$c->res->header(Pragma => 'no-cahce');
$c->res->header('Cache-Control' => "no-cache, must-revalidate");
}
was how I solved my problem. Of course this was for a classroom of
kids so it was easier to work out since I knew they'd be behind the
same proxy.
>
>
> I'm using the following session plugins:
>
> Session (0.13)
> Session::Store::Memcached (0.2 current)
> Session::State::Cookie (0.06)
>
> They are not the most current versions, although I don't see
> anything in the changelog relating to session collisions.
>
> Also, does anyone have advice on how to institute some debugging to
> try to catch these session collisions? I was thinking of storing
> their username in a separate cookie, and checking this cookie when
> we load a session to make sure that they match, similarly to how the
> verify_address functionality works.
>
> Thanks!
> Jim
(I was using Cache::FastMmap at the time)
-ash
More information about the Catalyst
mailing list