Bug #60933 for CGI-Session: Support for cookie path and domain

Wed Sep 01 05:23:59 2010 xavier.robin [...] bluewin.ch - Ticket created

Subject:

Support for cookie path and domain

I need to configure the "path" of my session cookie. I'm attaching a patch to support it. The path defauts to / (as currently) but can be redefined, as the name is. I don't need it right now but support for the domain of the cookie is also added in the patch.

Subject:

Session.pm.diff

--- /usr/lib/perl5/site_perl/5.8.8/CGI/Session.pm.old 2010-08-31 16:46:48.000000000 +0200 +++ /usr/lib/perl5/site_perl/5.8.8/CGI/Session.pm 2010-09-01 10:47:27.000000000 +0200 @@ -9,6 +9,8 @@ @CGI::Session::ISA = qw( CGI::Session::ErrorHandler ); $CGI::Session::VERSION = '4.42'; $CGI::Session::NAME = 'CGISESSID'; +$CGI::Session::PATH = '/'; +$CGI::Session::DOMAIN = undef; $CGI::Session::IP_MATCH = 0; sub STATUS_UNSET () { 1 << 0 } # denotes session that's resetted @@ -182,6 +184,34 @@ return $CGI::Session::NAME; } +sub path { + my $self = shift; + + if (ref $self) { + unless ( @_ ) { + return $self->{_PATH} || $CGI::Session::PATH; + } + return $self->{_PATH} = $_[0]; + } + + $CGI::Session::PATH = $_[0] if @_; + return $CGI::Session::PATH; +} + +sub domain { + my $self = shift; + + if (ref $self) { + unless ( @_ ) { + return $self->{_DOMAIN} || $CGI::Session::DOMAIN; + } + return $self->{_DOMAIN} = $_[0]; + } + + $CGI::Session::DOMAIN = $_[0] if @_; + return $CGI::Session::DOMAIN; +} + sub dump { my $self = shift; @@ -340,13 +370,28 @@ my $cookie= undef; if ( $self->is_expired ) { - $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -expires=> '-1d', @_ ); + if (defined $self->domain) { + $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -expires=> '-1d', -path=>$self->path, -domain=>$self->domain, @_ ); + } + else { + $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -expires=> '-1d', -path=>$self->path, @_ ); + } } elsif ( my $t = $self->expire ) { - $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -expires=> '+' . $t . 's', @_ ); + if (defined $self->domain) { + $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -expires=> '+' . $t . 's', -path=>$self->path, -domain=>$self->domain, @_ ); + } + else { + $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -expires=> '+' . $t . 's', -path=>$self->path, @_ ); + } } else { - $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, @_ ); + if (defined $self->domain) { + $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -path=>$self->path, -domain=>$self->domain, @_ ); + } + else { + $cookie = $query->cookie( -name=>$self->name, -value=>$self->id, -path=>$self->path, @_ ); + } } return $cookie; } @@ -1203,10 +1248,12 @@ It will retrieve the name of the session cookie from C<$session->name()> which defaults to C<$CGI::Session::NAME>. If you want to use a different name for your session cookie, do something like following before creating session object: CGI::Session->name("MY_SID"); + CGI::Session->path("/my_path"); + CGI::Session->path("www.example.com"); $session = CGI::Session->new(undef, $cgi, \%attrs); -Now, $session->header() uses "MY_SID" as a name for the session cookie. For all additional options that can -be passed, see the C<header()> docs in L<CGI>. +Now, $session->header() uses "MY_SID" as a name for the session cookie, with "/my_path" as cookie path and "www.example.com" as domain. +For all additional options that can be passed, see the C<header()> docs in L<CGI>. =head2 query()

Wed Sep 01 09:13:08 2010 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #60933] Support for cookie path and domain
Date:	Wed, 1 Sep 2010 09:12:53 -0400
To:	bug-CGI-Session [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

Show quoted text

> I need to configure the "path" of my session cookie. I'm attaching a > patch to support it. The path defauts to / (as currently) but can be > redefined, as the name is.

Hello Xavier, Thanks for the feedback on CGI::Session, as well as the patch. It's my opinion that CGI::Session should not do anything more with cookie management. It appears that your interest here is to set some easy defaults that are used for all your cookies. My suggestion for this to use a wrapper layer, like the CGI::Application plugin that has a section for cookie defaults: http://search.cpan.org/~ceeshek/CGI-Application-Plugin-Session-1.03/lib/CGI/Application/Plugin/Session.pm#session_config ( This is what I do myself to achieve the same goal. ) Or make your own tiny subclass that overrides the new, header() or cookie methods (whichever you need) so that your values are always set. Just drop in your new method and call $self->SUPER::header() (or whatever) in your method, so that you only have add the small additional bits you need, instead of rewriting a whole method. In any case, I don't think we would add any more global variables in the $CGI::Session:: name space. Those are no longer considered a best practice. I could be pursued otherwise if you wanted to discuss the topic on the mailing list and gather support from some other users. Mark

Wed Sep 01 09:13:10 2010 The RT System itself - Status changed from 'new' to 'open'