Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Plack-Middleware-Session CPAN distribution.

Report information
The Basics
Id: 77315
Status: open
Priority: 0/
Queue: Plack-Middleware-Session

People
Owner: Nobody in particular
Requestors: onken [...] netcubed.de
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.14
Fixed in: (no value)



Subject: Random session id in ::State::Cookie necessary?
Hi there, I'm trying to figure out why the ::State::Cookie module generated a random session id that is updated on every request. The problem with that is, that I use the "Vary: Cookie" header to purge the cache on either the browser or intermediate cache servers when the cookie changes (i.e. user logs in/out, user changed etc.). Now, this won't work at all, because ::State::Cookie changes the value of the cookie on each request (because of the random session id) which causes the "Vary" behavior to be triggered and the cache will be purged (or revalidated). I overwrote the generate_id method which now returns a static string and everything works as expected. I couldn't find any reference to the session id in the code besides generating it. So I guess it is nowhere validated (which wouldn't make a lot of sense either because it is stored by the user). I'm happy to provide a patch but wanted to check first, if I missed something. Best, mo
Subject: Re: [rt.cpan.org #77315] Random session id in ::State::Cookie necessary?
Date: Sun, 20 May 2012 13:49:32 -0700
To: bug-Plack-Middleware-Session [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
On Sunday, May 20, 2012 at 1:21 PM, Moritz Onken via RT wrote: Show quoted text
> > Hi there, > > I'm trying to figure out why the ::State::Cookie module generated a random session id that is > updated on every request. > >
on every request? No, it doesn't - it only generates the new ID whenever necessary i.e. the request comes without a valid session ID. Show quoted text
> The problem with that is, that I use the "Vary: Cookie" header to > purge the cache on either the browser or intermediate cache servers when the cookie changes > (i.e. user logs in/out, user changed etc.). Now, this won't work at all, because ::State::Cookie > changes the value of the cookie on each request (because of the random session id) which > causes the "Vary" behavior to be triggered and the cache will be purged (or revalidated). > > I overwrote the generate_id method which now returns a static string and everything works as > expected. I couldn't find any reference to the session id in the code besides generating it. So I > guess it is nowhere validated (which wouldn't make a lot of sense either because it is stored > by the user). > >
It is validated in the base State class. Show quoted text
> I'm happy to provide a patch but wanted to check first, if I missed something.
I'm sure there's some environmental issue in your end that erases or invalidates the cookie somewhere. If you could replicate a test case that doesn't involve a bunch of proxy servers etc that would be great. Also, try using the github tracker for further requests.
On Sun May 20 16:49:43 2012, miyagawa@gmail.com wrote: Show quoted text
> > On Sunday, May 20, 2012 at 1:21 PM, Moritz Onken via RT wrote:
> > > > Hi there, > > > > I'm trying to figure out why the ::State::Cookie module generated a
> random session id that is
> > updated on every request. > > > >
> > on every request? No, it doesn't - it only generates the new ID > whenever necessary i.e. the request comes without a valid session ID. >
> > The problem with that is, that I use the "Vary: Cookie" header to > > purge the cache on either the browser or intermediate cache servers
> when the cookie changes
> > (i.e. user logs in/out, user changed etc.). Now, this won't work at
> all, because ::State::Cookie
> > changes the value of the cookie on each request (because of the
> random session id) which
> > causes the "Vary" behavior to be triggered and the cache will be
> purged (or revalidated).
> > > > I overwrote the generate_id method which now returns a static string
> and everything works as
> > expected. I couldn't find any reference to the session id in the
> code besides generating it. So I
> > guess it is nowhere validated (which wouldn't make a lot of sense
> either because it is stored
> > by the user). > > > >
> > It is validated in the base State class. >
> > I'm happy to provide a patch but wanted to check first, if I missed
> something. > > I'm sure there's some environmental issue in your end that erases or > invalidates the cookie somewhere. If you could replicate a test case > that doesn't involve a bunch of proxy servers etc that would be great. > > Also, try using the github tracker for further requests.
Sorry, couldn't find the dist in your github account. Actually, I meant to talk about Plack::Middleware::Session::Cookie and not ::State::Cookie (which works fine). Sorry for the confusion, I got mixed up with the naming. Can you confirm my findings for Plack::Middleware::Session::Cookie? Best, mo