[Catalyst] Session id creation

Bill Moseley moseley at hank.org
Sat Jun 6 22:57:20 GMT 2009

I was looking over the session code and noticed this:

    sub session {
        my $c = shift;

        $c->_session || $c->_load_session || do {

My concern is the use of create_session_id_if_needed().

If it can't fetch the session then, it would appear, that it creates
a new session using the *user provided* session id.

In other words, it provides a way for users to generate their own
session ids as long as it passes the validate_session_id method,
which doesn't take much.

I would think that if a passed in session id is not valid then
a newly created session must have a key generated by the application
and not use one passed in by the user.  From the looks of the code
it would seem like someone could create a session with an id of "1",
for example.

My question is can anyone see why not just do this:

    sub session {
        my $c = shift;

        $c->_session || $c->_load_session || do {

In order to load the session it needs the session id by calling
_load_sessionid.  When it does that it stores the session id if it's

In _load_sessionid:

    if ( defined( my $sid = $c->get_session_id ) ) {
        if ( $c->validate_session_id($sid) ) {
            # temporarily set the inner key, so that validation will work
            warn "setting _sessionid($sid)\n";
            return $sid;
        } ...

Which sets the session id as long as it passes:

    sub validate_session_id {
        my ( $c, $sid ) = @_;

        $sid and $sid =~ /^[a-f\d]+$/i;

Bill Moseley
moseley at hank.org
Sent from my iMutt

More information about the Catalyst mailing list