Subject: | Random session id in ::State::Cookie necessary? |
Hi there,
I'm trying to figure out why the ::State::Cookie module generated a random session id that is
updated on every request. The problem with that is, that I use the "Vary: Cookie" header to
purge the cache on either the browser or intermediate cache servers when the cookie changes
(i.e. user logs in/out, user changed etc.). Now, this won't work at all, because ::State::Cookie
changes the value of the cookie on each request (because of the random session id) which
causes the "Vary" behavior to be triggered and the cache will be purged (or revalidated).
I overwrote the generate_id method which now returns a static string and everything works as
expected. I couldn't find any reference to the session id in the code besides generating it. So I
guess it is nowhere validated (which wouldn't make a lot of sense either because it is stored
by the user).
I'm happy to provide a patch but wanted to check first, if I missed something.
Best,
mo