Skip Menu |

This queue is for tickets about the CGI-Session CPAN distribution.

Report information
The Basics
Id: 29138
Status: resolved
Priority: 0/
Queue: CGI-Session

People
Owner: MARKSTOS [...] cpan.org
Requestors: nick [...] andrews-consultancy.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: New bug report for CGI::Session
Date: Mon, 3 Sep 2007 19:01:30 +0100
To: <bug-CGI-Session [...] rt.cpan.org>
From: "Nick Andrews" <nick [...] andrews-consultancy.com>
Hi Mark, I believe I've found a new bug in CGI::Session (v4.20). I have been able to replicate this issue reliably across platforms (Win and Unix) and have identified the cause of the problem and a proposed fix. The issue arises as follows: - You're using -ip_match - You have an existing session - Your IP has changed since your last session Here's my analysis of what happens next: - Browser presents session ID in the cookie - Call to new() detects that the IP doesn't match, deletes session, creates a new one - The new session thus created in this scenario is always *missing* the _SESSION_REMOTE_ADDR parameter. This is where the bug lies. - For this reason all subsequent requests then follow the same pattern: IP doesn't match (because there now isn't one in the session), a new session is created (again without an IP), and the result is a broken session which never 'sticks'. Looking at the code I believe this is fixed by the addition of the following 1 extra line after line 82: $dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} || ""; I hope that my analysis is correct, and that this will enable the posting of a corrected version of the module. Best wishes, Nick Andrews
From: bf.mbox [...] gmail.com
Nick, Could you please be specific as to which file you are fixing? I am having similar problems and do not see a follow up to this report. (A context diff would be useful) Another case to consider is when a browser has been closed and the session cookie is deleted, then the browser is restarted and CGI::Session does not have a session id cookie. Thanks, Barry Friedman On Mon Sep 03 14:13:42 2007, nick@andrews-consultancy.com wrote: Show quoted text
> > Looking at the code I believe this is fixed by the addition of the > following 1 extra line > after line 82: > > $dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} || ""; > > I hope that my analysis is correct, and that this will enable the > posting of > a corrected version of the module. > > Best wishes, > Nick Andrews >
CC: cgi-session-user [...] lists.sf.net
Subject: Re: [rt.cpan.org #29138] New bug report for CGI::Session
Date: Mon, 18 Feb 2008 10:14:27 -0500
To: bug-CGI-Session [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
This change looks OK to me. However, I'm about to have a baby any day (hour?) now, so if someone else could update the code, tests and changelog for this, that would be appreciated. (Antirice, still there?) Just post a patch in "diff -u" format as an attachment to this bug report, or commit directly if you have access. Mark Barry Friedman via RT wrote: Show quoted text
> Queue: CGI-Session > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=29138 > > > Nick, > > Could you please be specific as to which file you are fixing? > I am having similar problems and do not see a follow up to this > report. (A context diff would be useful) > > Another case to consider is when a browser has been closed and the > session cookie is deleted, then the browser is restarted and > CGI::Session does not have a session id cookie. > > Thanks, > Barry Friedman > > On Mon Sep 03 14:13:42 2007, nick@andrews-consultancy.com wrote:
>> >> Looking at the code I believe this is fixed by the addition of the >> following 1 extra line >> after line 82: >> >> $dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} || ""; >> >> I hope that my analysis is correct, and that this will enable the >> posting of >> a corrected version of the module. >> >> Best wishes, >> Nick Andrews >>
> > >
-- . . . . . . . . . . . . . . . . . . . . . . . . . . . Mark Stosberg Principal Developer mark@summersault.com Summersault, LLC 765-939-9301 ext 202 database driven websites . . . . . http://www.summersault.com/ . . . . . . . .
Ron Savage said this resolved in our code repository now. Mark