Subject: | New bug report for CGI::Session |
Date: | Mon, 3 Sep 2007 19:01:30 +0100 |
To: | <bug-CGI-Session [...] rt.cpan.org> |
From: | "Nick Andrews" <nick [...] andrews-consultancy.com> |
Hi Mark,
I believe I've found a new bug in CGI::Session (v4.20). I have been able
to
replicate this issue reliably across platforms (Win and Unix) and have
identified
the cause of the problem and a proposed fix.
The issue arises as follows:
- You're using -ip_match
- You have an existing session
- Your IP has changed since your last session
Here's my analysis of what happens next:
- Browser presents session ID in the cookie
- Call to new() detects that the IP doesn't match, deletes session,
creates a new one
- The new session thus created in this scenario is always *missing* the
_SESSION_REMOTE_ADDR parameter. This is where the bug lies.
- For this reason all subsequent requests then follow the same pattern:
IP doesn't match
(because there now isn't one in the session), a new session is created
(again without an IP),
and the result is a broken session which never 'sticks'.
Looking at the code I believe this is fixed by the addition of the
following 1 extra line
after line 82:
$dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} || "";
I hope that my analysis is correct, and that this will enable the
posting of
a corrected version of the module.
Best wishes,
Nick Andrews