Bug #55637 for Apache-Session-Wrapper: delete

Tue Mar 16 14:38:35 2010 nikita.dedik [...] bulyon.com - Ticket created

Subject:

delete_session won't clear cookie

Check the implementation of delete_session: sub delete_session { ... delete $self->{session_id}; $self->_bake_cookie('-1d') if $self->{use_cookie}; } And now check _bake_cookie: sub _bake_cookie { ... -value => ( $self->{session_id} || '' ), ... } Obviously, delete_session should be rewritten like this: sub delete_session { ... $self->_bake_cookie('-1d') if $self->{use_cookie}; delete $self->{session_id}; } Thanks :)!

Tue Mar 16 15:45:20 2010 autarch [...] urth.org - Correspondence added

Subject:	Re: [rt.cpan.org #55637] delete_session won't clear cookie
Date:	Tue, 16 Mar 2010 14:43:42 -0500 (CDT)
To:	Nikita Dedik via RT <bug-Apache-Session-Wrapper [...] rt.cpan.org>
From:	Dave Rolsky <autarch [...] urth.org>

On Tue, 16 Mar 2010, Nikita Dedik via RT wrote: Show quoted text

> Check the implementation of delete_session: > > sub delete_session > { > ... > delete $self->{session_id}; > $self->_bake_cookie('-1d') if $self->{use_cookie}; > } > > And now check _bake_cookie: > > sub _bake_cookie > { > ... > -value => ( $self->{session_id} || '' ), > ... > } > > Obviously, delete_session should be rewritten like this: > > sub delete_session > { > ... > $self->_bake_cookie('-1d') if $self->{use_cookie}; > delete $self->{session_id}; > }

Did you actually test the code (as is)? When a cookie is sent to a browser with an expiration in the past, the browser deletes the cookie. -dave /*============================================================ http://VegGuide.org http://blog.urth.org Your guide to all that's veg House Absolute(ly Pointless) ============================================================*/

Tue Mar 16 15:45:23 2010 The RT System itself - Status changed from 'new' to 'open'

Tue Mar 16 17:41:47 2010 nikita.dedik [...] bulyon.com - Correspondence added

From:

nikita.dedik [...] bulyon.com

Of course I did! I spent several hours looking for a problem in my code when realized that it's not my fault :). You're right about the way of deleting cookies by setting expiration in the past. But you didn't get my idea. _bake_cookie uses $self->{session_id} - which is already deleted by the moment you call it with '-1d'! delete $self->{session_id}; self->_bake_cookie('-1d') if $self->{use_cookie}; So instead of re-sending the cookie like, say, "Set-Cookie: sid=....; expires=..." it sends "Set-Cookie: =...; expires=...", i.e. a cookie with no name! Втр Мар 16 15:45:20 2010, autarch@urth.org писал: Show quoted text

> On Tue, 16 Mar 2010, Nikita Dedik via RT wrote: >

> > Check the implementation of delete_session: > > > > sub delete_session > > { > > ... > > delete $self->{session_id}; > > $self->_bake_cookie('-1d') if $self->{use_cookie}; > > } > > > > And now check _bake_cookie: > > > > sub _bake_cookie > > { > > ... > > -value => ( $self->{session_id} || '' ), > > ... > > } > > > > Obviously, delete_session should be rewritten like this: > > > > sub delete_session > > { > > ... > > $self->_bake_cookie('-1d') if $self->{use_cookie}; > > delete $self->{session_id}; > > }

> > Did you actually test the code (as is)? When a cookie is sent to a

browser Show quoted text

> with an expiration in the past, the browser deletes the cookie. > > > -dave > > /*============================================================ > http://VegGuide.org http://blog.urth.org > Your guide to all that's veg House Absolute(ly Pointless) > ============================================================*/

Tue Mar 16 17:57:00 2010 autarch [...] urth.org - Correspondence added

Subject:	Re: [rt.cpan.org #55637] delete_session won't clear cookie
Date:	Tue, 16 Mar 2010 16:56:04 -0500 (CDT)
To:	Nikita Dedik via RT <bug-Apache-Session-Wrapper [...] rt.cpan.org>
From:	Dave Rolsky <autarch [...] urth.org>

On Tue, 16 Mar 2010, Nikita Dedik via RT wrote: Show quoted text

> Of course I did! I spent several hours looking for a problem in my code > when realized that it's not my fault :).

But you didn't write any tests for this module that fail, so I'm not convinced it's this module's fault. Show quoted text

> You're right about the way of deleting cookies by setting expiration in > the past. But you didn't get my idea. > > _bake_cookie uses $self->{session_id} - which is already deleted by the > moment you call it with '-1d'! > > delete $self->{session_id}; > self->_bake_cookie('-1d') if $self->{use_cookie}; > > So instead of re-sending the cookie like, say, "Set-Cookie: sid=....; > expires=..." it sends "Set-Cookie: =...; expires=...", i.e. a cookie > with no name!

But the session_id is the cookie's _value_, not its name. So it should be sending a cookie with no value that expires in the past. What exactly is the problem? -dave /*============================================================ http://VegGuide.org http://blog.urth.org Your guide to all that's veg House Absolute(ly Pointless) ============================================================*/

Wed Mar 17 04:12:20 2010 nikita.dedik [...] bulyon.com - Correspondence added

From:

nikita.dedik [...] bulyon.com

Oh c'mon, I must have been drunk yesterday :)). Sorry for disturbing - since I fixed it on my side, I'm too lazy to test it futher, so let's just forget this one :). Thanks for a brillian module, BTW ;)! Втр Мар 16 14:38:35 2010, nikita.dedik@bulyon.com писал: Show quoted text

> Check the implementation of delete_session: > > sub delete_session > { > ... > delete $self->{session_id}; > $self->_bake_cookie('-1d') if $self->{use_cookie}; > } > > And now check _bake_cookie: > > sub _bake_cookie > { > ... > -value => ( $self->{session_id} || '' ), > ... > } > > Obviously, delete_session should be rewritten like this: > > sub delete_session > { > ... > $self->_bake_cookie('-1d') if $self->{use_cookie}; > delete $self->{session_id}; > } > > Thanks :)!

Wed Mar 17 10:03:55 2010 DROLSKY [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #55637 for Apache-Session-Wrapper: delete_session won't clear cookie