Skip Menu |

This queue is for tickets about the CGI-Session CPAN distribution.

Report information
The Basics
Id: 34280
Status: resolved
Priority: 0/
Queue: CGI-Session

People
Owner: MARKSTOS [...] cpan.org
Requestors: mail [...] adtim.ru
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Incorrect session ID for subdomain
Date: Thu, 20 Mar 2008 14:47:06 +0300
To: bug-CGI-Session [...] rt.cpan.org
From: Тимур Кондратьев <mail [...] adtim.ru>
Hello. I have 2 different sites: site.com and sub.site.com both using CGI::Session When I go to sub.site.com there are 2 session cookies are being sent, first with Host: .site.com and second with Host: sub.site.com The problem is CGI::Session use first cookie, which isn't valid for sub.site.com, thus creating new session each time you hit sub.site.com Changing $CGI::Session::NAME is not the option cause both sites run on same server under mod_perl persistent environment. Versions: # $Id: Session.pm 353 2006-12-05 02:10:19Z markstos $ $CGI::Session::VERSION 4.20 This is perl, v5.8.8 built for i386-freebsd-64int Thank you.
CC: bug-CGI-Session [...] rt.cpan.org
Subject: Re: [Cgi-session-user] [Fwd: [rt.cpan.org #34280] Incorrect session ID for subdomain]
Date: Fri, 21 Mar 2008 11:35:02 -0400
To: List - CGI::Session <cgi-session-user [...] lists.sourceforge.net>
From: Mark Stosberg <mark [...] summersault.com>
Show quoted text
> o Digression: Line 93 of CGI::Cookie is: > s/\s*(.*?)\s*/$1/; > whereas line 34 of CGI::Simple::Cookie is: > $pair =~ s/^\s+|\s+$//; # trim leading trailing whitespace > You can see there's a missing /g on this last line, since it removes > either leading or trailing spaces, but not both. I'll log a bug report.
Great catch, Ron! Show quoted text
> Whose responsibility is it to ensure only cookies for the 'current' > domain are retrieved from the headers sent by the client? I suppose the > client should only be sending 'relevant' cookies. Perhaps in OP's > situation, both cookies are relevant?
I did the Perlmonks.org test of logging in both with and without the "www" and then checking the cookies set when I visit "www". Two cookies are sent. Firefox sent "perlmonks.org" first, and then "www.perlmonks.org" second. I also read the Cookie RFC to see if there is a "right" order to send and parse cookies in, and it appears there is not. Therefore, I think this is not a bug at all, but the user's burden to check the domain in this case and make sure they have the right cookie. Mark
This is a bug in CGI::Session. It is the user's responsibility to check the domains and select the right cookie if necessary. You could consider giving the cookies different names in those different contexts to further avoid confusion. Mark