[SPAM] Re: [Catalyst] Session id creation

kmx kmx at volny.cz
Sun Jun 14 08:34:06 GMT 2009 

Hi,
> I'm fairly convinced that we should at least give the user the option
> to be extra paranoid if they want to, and we should add additional
> documentation about potential issues.
>
> I just haven't had time to work on any of this yet, it's somewhere on
> my list - but if anyone else wants to volunteer patches, then they're
> very  welcome as always ;)
I have done some research and found out that it would be nice to have
the following 2 methods available in Catalyst::Plugin::Session
1) a method that just changes the sessionid but keeps all session data
2) a method that starts completely new session - new sessionid, new
cookie, clean session data (just necessary internal items like __user,
__user_realm, ...)

Then after (or during) authenticate() I can decide to: call method 1) OR
call method 2) OR do nothing.

ad 1) - my proposal is something like this:

sub change_session_id {
  my $c = shift;
  my $oldsid = $c->_sessionid;  
  my $newsid = $c->create_session_id;        
   
  # deleting old session data from store
  # current $c->_session will be saved under a new sessionid
  if ($oldsid) {
    $c->log->debug(qq/Deleting session data for "$oldsid"/) if $c->debug;
    $c->delete_session_data("${_}:${oldsid}") for qw/session expires flash/;
  }
  return $newsid;
}

And I can simply use it in my login action like this:
if ($c->authenticate( { username => $user, password => $pass } )) {
  $c->change_session_id;
  ...
}

ad 2) - despite the fact that it seems to be as simple as creating a new
session - it is not (at least I was not able to easily: delete-create).
We are gonna call it after authenticate() and we cannot just drop all
session data because after authenticate the session data contains info
like '__user' etc. that we want to keep. I have not found out "nice"
solution - this is just sort of idea:

sub restart_session {
    my $c = shift;   

    my $newsid = $c->change_session_id; # new session id (clears session
data from store)
    $c->_clear_session_instance_data;   # clear session_instance data
    $c->initialize_session_data;        # store __created __updated
__address
    $c->persist_user if ($c->user);     # store __user_realm __user
    return $newsid;
}

And I can again simply use it in my login action like this:
if ($c->authenticate( { username => $user, password => $pass } )) {
  $c->restart_session;
  ...
}

To be honest it is still quite hard for me to follow the whole catalyst
session stuff thus my suggestion might be slightly out of a cat session
concept. Any feedback welcome.

--
kmx

More information about the Catalyst mailing list