Bug #20992 for Apache-Session-Wrapper: _bake_cookie sets empty (undef?) value when deleting sessions

On Mon Aug 14 19:12:42 2006, DPRICE wrote: Show quoted text
Is this a bug in Apache2::Cookie? It seems like it, since it's a change in behavior compared to Apache::Cookie, and it's not documented anywhere. Could you report this to the libapreq2 maintainer?

It might be a bug in Apache2::Cookie or an undocumented API change, but when the work-around is so simple, why not implement it in Apache::Session::Wrapper? Some distros take so long to update their mod_perl package, and some production systems avoid upgrades to such a degree, that it might be years before Apache2::Session::Wrapper begins working again on those platforms if it waits for the libapreq2 fix to trickle down. Thanks,

On Mon Sep 18 11:17:09 2006, autarch@urth.org wrote: Show quoted text
Since, as you point out, the behavior of Apache2::Cookie->new with an undefined value for -version is undocumented, whether this is a bug or you were depending on undefined behavior may still be up for debate. Do you care to have that our with the libapreq2 folks? Show quoted text
it's Show quoted text
Since the workaround should be backward compatible, I don't see what you would have to "keep doing". Why would expiring the cookie before deleting the session ID from the hash break when run against any other libapreq version? All it does is ensure that a defined -value is passed to Apache2::Cookie->new. Show quoted text
Yes. Do you think you can convince the libapreq2 maintainers that it is a bug? Show quoted text
Actually, I simply created my own version of Apache::Session::Wrapper with the fix, but it would be nice not to have to port every Apache::Session::Wrapper change forward into my new (and I was hoping, temporary) module. Would it help if I volunteered as a comaintainer for Apache::Session::Wrapper? Incidentally, you already protect against passing any other undefined values to Apache2::Cookie->new in _bake_cookie. Protecting the -value argument in the same way is as effective as my suggested fix, like: my $cookie = $self->{cookie_class}->new ( @{ $self->{new_cookie_args} }, -name => $self->{cookie_name}, ( defined $self->{session_id} ? ( -value => $self->{session_id} ) : () ), ( defined $expires ? ( -expires => $expires ) : () ), ( defined $domain ? ( -domain => $domain ) : () ), -path => $self->{cookie_path}, -secure => $self->{cookie_secure}, ); Instead of the current: my $cookie = $self->{cookie_class}->new ( @{ $self->{new_cookie_args} }, -name => $self->{cookie_name}, -value => $self->{session_id}, ( defined $expires ? ( -expires => $expires ) : () ), ( defined $domain ? ( -domain => $domain ) : () ), -path => $self->{cookie_path}, -secure => $self->{cookie_secure}, ); Thanks again,

On Mon, 18 Sep 2006, Derek R. Price via RT wrote: Show quoted text
I just came up with a similar fix myself. Show quoted text
I don't. It works around the bug by changing code that's not local to where the problem manifests. That's what I meant when I said it would be something I'd have to maintain going forward. I'd have a change in one spot which works around a bug in an entirely non-obvious way.

On Mon Sep 18 12:36:26 2006, autarch@urth.org wrote: Show quoted text
Sorry if it's a silly question, but I was thinking that my previous posts may have been worded somewhat unclearly and the ordering of your responses confused me: something like the above fix is the one you are testing, correct? It is the one that I found that works with A2::C... Show quoted text
Okay, I can see the logic of this. Thanks. Show quoted text
I cc'd you on my initial report(s) to modperl@perl.apache.org. Hopefully that was the correct list. You should have the emails already, assuming your spam filter didn't eat my messages. Show quoted text
Great! I'm looking forward to the fresh release! Thanks again,