Skip Menu |

This queue is for tickets about the Apache-Session CPAN distribution.

Report information
The Basics
Id: 83525
Status: open
Priority: 0/
Queue: Apache-Session

People
Owner: Nobody in particular
Requestors: tsibley [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 1.90
Fixed in: (no value)



Subject: Deleted sessions can be revivified by update during session destruction
After deletion, any subsequent updates mark the session MODIFIED. Upon destruction, these modifications are attempted to be saved via the backing store's ->update method. For database backed stores, ->update will silently fail if the session id no longer exists. Apache::Session::Store::File and Apache::Session::Store::DB_File, however, will autocreate the session if it doesn't exist before saving the update. This causes a deleted session to automagically come to life again, potentially with data thought to be deleted for good (depending on how the application handles deleted sessions). I believe at least two sets of changes should be made: 1) The File and DB_File stores should not autocreate sessions on update, to match the behaviour of other stores. This provides consistency and reliability when switching between stores. 2) The DELETED flag, or a new equivalent, should be persistent after deletion from a store and prevent any new updates from happening. Either one of these would fix the individual symptom by themselves, but I believe applying both will ensure a similar issue doesn't crop up accidentally in the future. I'm happy to work up tests and patches for both if you're willing to review and apply them. Cheers, Thomas
Subject: Re: [rt.cpan.org #83525] Deleted sessions can be revivified by update during session destruction
Date: Thu, 21 Feb 2013 17:36:27 -0800
To: bug-Apache-Session [...] rt.cpan.org
From: Jeffrey Baker <jwbaker [...] gmail.com>
You appear to be interested in this topic :) Certainly I have not worked on this code in 10+ years. Perhaps you would enjoy working on it. On Thu, Feb 21, 2013 at 5:29 PM, Thomas Sibley via RT < bug-Apache-Session@rt.cpan.org> wrote: Show quoted text
> Thu Feb 21 20:29:20 2013: Request 83525 was acted upon. > Transaction: Ticket created by TSIBLEY > Queue: Apache-Session > Subject: Deleted sessions can be revivified by update during session > destruction > Broken in: 1.90 > Severity: Critical > Owner: Nobody > Requestors: tsibley@cpan.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=83525 > > > > After deletion, any subsequent updates mark the session MODIFIED. Upon > destruction, these modifications are attempted to be saved via the > backing store's ->update method. For database backed stores, ->update > will silently fail if the session id no longer exists. > Apache::Session::Store::File and Apache::Session::Store::DB_File, > however, will autocreate the session if it doesn't exist before saving > the update. This causes a deleted session to automagically come to life > again, potentially with data thought to be deleted for good (depending > on how the application handles deleted sessions). > > I believe at least two sets of changes should be made: > > 1) The File and DB_File stores should not autocreate sessions on update, > to match the behaviour of other stores. This provides consistency and > reliability when switching between stores. > > 2) The DELETED flag, or a new equivalent, should be persistent after > deletion from a store and prevent any new updates from happening. > > Either one of these would fix the individual symptom by themselves, but > I believe applying both will ensure a similar issue doesn't crop up > accidentally in the future. > > I'm happy to work up tests and patches for both if you're willing to > review and apply them. > > Cheers, > Thomas >
Subject: Re: [rt.cpan.org #83525] Deleted sessions can be revivified by update during session destruction
Date: Tue, 26 Feb 2013 17:48:07 -0800
To: bug-Apache-Session [...] rt.cpan.org
From: Thomas Sibley <tsibley [...] cpan.org>
On 02/21/2013 05:36 PM, Jeffrey Baker via RT wrote: Show quoted text
> You appear to be interested in this topic :) Certainly I have not worked > on this code in 10+ years. Perhaps you would enjoy working on it.
I'm interested because I work on RT, which uses the Apache::Session::File backend in some cases but usually uses the ::MySQL or ::Pg backends. As I noted, I'm willing to work up tests and patches at some point soonish if you are willing to review and apply them (once up to snuff). Are you?
Just as a matter of record, the maintainer added me to the github repo for Apache-Session to fix this bug. I haven't had the $work time to do so yet, however.
Subject: Re: [rt.cpan.org #83525] Deleted sessions can be revivified by update during session destruction
Date: Wed, 22 May 2013 14:59:32 -0700
To: bug-Apache-Session [...] rt.cpan.org
From: Thomas Sibley <tsibley [...] cpan.org>
On 02/21/2013 05:36 PM, Jeffrey Baker via RT wrote: Show quoted text
> You appear to be interested in this topic :) Certainly I have not worked > on this code in 10+ years. Perhaps you would enjoy working on it.
I saw that you gave me commit bits two months ago, but unfortunately I've lost the time to work on this bug. We worked around it in RT instead.