[Catalyst] Session id creation
Bill Moseley
moseley at hank.org
Sat Jun 6 22:57:20 GMT 2009
I was looking over the session code and noticed this:
sub session {
my $c = shift;
$c->_session || $c->_load_session || do {
$c->create_session_id_if_needed;
$c->initialize_session_data;
};
}
My concern is the use of create_session_id_if_needed().
If it can't fetch the session then, it would appear, that it creates
a new session using the *user provided* session id.
In other words, it provides a way for users to generate their own
session ids as long as it passes the validate_session_id method,
which doesn't take much.
I would think that if a passed in session id is not valid then
a newly created session must have a key generated by the application
and not use one passed in by the user. From the looks of the code
it would seem like someone could create a session with an id of "1",
for example.
My question is can anyone see why not just do this:
sub session {
my $c = shift;
$c->_session || $c->_load_session || do {
$c->create_session_id;
$c->initialize_session_data;
};
}
In order to load the session it needs the session id by calling
_load_sessionid. When it does that it stores the session id if it's
"valid".
In _load_sessionid:
if ( defined( my $sid = $c->get_session_id ) ) {
if ( $c->validate_session_id($sid) ) {
# temporarily set the inner key, so that validation will work
warn "setting _sessionid($sid)\n";
$c->_sessionid($sid);
return $sid;
} ...
Which sets the session id as long as it passes:
sub validate_session_id {
my ( $c, $sid ) = @_;
$sid and $sid =~ /^[a-f\d]+$/i;
}
--
Bill Moseley
moseley at hank.org
Sent from my iMutt
More information about the Catalyst
mailing list