Subject: | Deleted sessions can be revivified by update during session destruction |
After deletion, any subsequent updates mark the session MODIFIED. Upon
destruction, these modifications are attempted to be saved via the
backing store's ->update method. For database backed stores, ->update
will silently fail if the session id no longer exists.
Apache::Session::Store::File and Apache::Session::Store::DB_File,
however, will autocreate the session if it doesn't exist before saving
the update. This causes a deleted session to automagically come to life
again, potentially with data thought to be deleted for good (depending
on how the application handles deleted sessions).
I believe at least two sets of changes should be made:
1) The File and DB_File stores should not autocreate sessions on update,
to match the behaviour of other stores. This provides consistency and
reliability when switching between stores.
2) The DELETED flag, or a new equivalent, should be persistent after
deletion from a store and prevent any new updates from happening.
Either one of these would fix the individual symptom by themselves, but
I believe applying both will ensure a similar issue doesn't crop up
accidentally in the future.
I'm happy to work up tests and patches for both if you're willing to
review and apply them.
Cheers,
Thomas