Skip Menu |

This queue is for tickets about the Catalyst-Plugin-HashedCookies CPAN distribution.

Report information
The Basics
Id: 64855
Status: resolved
Priority: 0/
Queue: Catalyst-Plugin-HashedCookies
People
Owner: Nobody in particular
Requestors: nigel [...] mcnie.name
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 1.05
Fixed in: (no value)

History Show all quoted text
  Mon Jan 17 16:28:26 2011 nigel [...] mcnie.name - Ticket created
Subject: Should this sign cookies even on 5xx response codes?
Hi, I'm using this plugin to verify the validity of the session cookie. If it's not valid, the user is forced to log in again. As such, it's been very easy to get going. However, I have one possible issue. If a user is presented with a 5xx error code for whatever reason, this plugin doesn't bother signing the cookie. Then on the next request (e.g. user presses back button), they're sending an unsigned cookie, and thus are forced to log in again. Is there a reason for not signing cookies on 5xx responses? I figure you might know a good reason that I can't see, so I thought I'd ask. In any event, I'm going to temporarily patch my local copy so it signs them anyway, and see if anything disastrous happens. Cheers, Nigel
  Tue Jan 18 01:14:54 2011 OLIVER [...] cpan.org - Correspondence added
On Mon Jan 17 16:28:26 2011, nigel@mcnie.name wrote: Show quoted text
> However, I have one possible issue. If a user is presented with a 5xx > error code for whatever reason, this plugin doesn't bother signing the > cookie. Then on the next request (e.g. user presses back button), > they're sending an unsigned cookie, and thus are forced to log in again.
This seems to be a conscious decision on my part as in the code it checks for 5xx and aborts if that's the case. And as I wrote this code a few years ago now I cannot remember what the reason for that was. A lesson in needing better code commenting, I suppose! Anyway, I see no reason not to try patching the code to comment out the 5xx check. Let me know how you get on. I'm positive towards making this change permanent and re-releasing. regards, oliver. -- regards, oliver.
  Tue Jan 18 01:14:55 2011 The RT System itself - Status changed from 'new' to 'open'
  Tue Jan 18 01:18:32 2011 OLIVER [...] cpan.org - Correspondence added
On Tue Jan 18 01:14:54 2011, OLIVER wrote: Show quoted text
> This seems to be a conscious decision on my part as in the code it > checks for 5xx and aborts > if that's the case. And as I wrote this code a few years ago now I > cannot remember what the > reason for that was. A lesson in needing better code commenting, I > suppose!
Replying to myself, I wonder whether the reason is because the cookie data might not have been fully set by the application. For example, the cookie is prepared in the catalyst $c object but still needs some kind of data adding to it at the point the app throws a 5xx. Perhaps the user doesn't want that half created cookie to be baked and signed. What's your opinion, as a user? Presumably your app doesn't get into this situation. Or maybe we can do something else like not re-bake a previously signed cookie (i.e. remove) if doing a 5xx so it's more like a no-op. -- regards, oliver.
  Tue Jan 18 05:15:03 2011 nigel [...] mcnie.name - Correspondence added
From: nigel [...] mcnie.name
On Tue Jan 18 01:18:32 2011, OLIVER wrote: Show quoted text
> On Tue Jan 18 01:14:54 2011, OLIVER wrote:
> > This seems to be a conscious decision on my part as in the code it > > checks for 5xx and aborts > > if that's the case. And as I wrote this code a few years ago now I > > cannot remember what the > > reason for that was. A lesson in needing better code commenting, I > > suppose!
> > Replying to myself, I wonder whether the reason is because the cookie > data might not have > been fully set by the application. For example, the cookie is prepared > in the catalyst $c object > but still needs some kind of data adding to it at the point the app > throws a 5xx. Perhaps the > user doesn't want that half created cookie to be baked and signed.
Firstly - have been running with it commented out for today, and it hasn't caused any issues. I don't really do any hacking in core though, so I haven't been triggering 500s outside of my own application code. I have been implementing session-related stuff (sudo to other users), and thus have been triggering various session-related errors deliberately, and each time I've wanted the cookie to be signed. Show quoted text
> > What's your opinion, as a user? Presumably your app doesn't get into > this situation. Or maybe > we can do something else like not re-bake a previously signed cookie > (i.e. remove) if doing a > 5xx so it's more like a no-op.
Even if the cookie was half-completed when the 500 occurred, I don't think it's a reason to not sign it. If the application is coded correctly, it should handle the half-baked cookie case gracefully, and even if it doesn't, I don't think it's the purpose of this module to decide not to sign it. I feel that the module should be as transparent as it can, so that the behaviour is the same both when it's enabled and when it's not. Without this module, the cookie would be set anyway. I suppose it could be a no-op, but then I also don't see the point. It seems like more code for no great benefit. One caveat to my feedback: I don't know much about Catalyst's inner workings. So maybe there is a time when a 500 occurs that not signing the cookie makes sense. I defer to your judgement about what to do if that's the case, though my preference would be for the module to sign cookies if the 500 was caused by the application rather than Catalyst itself. Cheers, Nigel
  Sun Jan 23 05:30:32 2011 OLIVER [...] cpan.org - Correspondence added
Hello Nigel, On Tue Jan 18 05:15:03 2011, nigel@mcnie.name wrote: Show quoted text
> I feel that the module should be as transparent as it can, so that the > behaviour is the same both when it's enabled and when it's not. Without > this module, the cookie would be set anyway.
I agree with you here, and the module should not be skipping any of its steps. I've patched to remove the 5xx check/skip and released to CPAN as version 1.110231. Please let me know how you get on. Many thanks once again for the bug report. regards, oliver.
  Sun Jan 23 05:30:33 2011 OLIVER [...] cpan.org - Status changed from 'open' to 'resolved'
  Sun Jan 23 19:32:45 2011 nigel [...] mcnie.name - Correspondence added
From: nigel [...] mcnie.name
On Sun Jan 23 05:30:32 2011, OLIVER wrote: Show quoted text
> > I've patched to remove the 5xx check/skip and released to CPAN as > version 1.110231. Please let me know > how you get on.
Thanks! It's working fine so far - I'll reply/re-open if I encounter any issues. Cheers, Nigel
  Sun Jan 23 19:32:46 2011 The RT System itself - Status changed from 'resolved' to 'open'
  Mon Jan 24 05:02:37 2011 OLIVER [...] cpan.org - Status changed from 'open' to 'resolved'