Hi,
> I'm fairly convinced that we should at least give the user the option
> to be extra paranoid if they want to, and we should add additional
> documentation about potential issues.
>
> I just haven't had time to work on any of this yet, it's somewhere on
> my list - but if anyone else wants to volunteer patches, then they're
> very welcome as always ;)
I have done some research and found out that it would be nice to have
the following 2 methods available in Catalyst::Plugin::Session
1) a method that just changes the sessionid but keeps all session data
2) a method that starts completely new session - new sessionid, new
cookie, clean session data (just necessary internal items like __user,
__user_realm, ...)
Then after (or during) authenticate() I can decide to: call method 1) OR
call method 2) OR do nothing.
ad 1) - my proposal is something like this:
sub change_session_id {
my $c = shift;
my $oldsid = $c->_sessionid;
my $newsid = $c->create_session_id;
# deleting old session data from store
# current $c->_session will be saved under a new sessionid
if ($oldsid) {
$c->log->debug(qq/Deleting session data for "$oldsid"/) if $c->debug;
$c->delete_session_data("${_}:${oldsid}") for qw/session expires flash/;
}
return $newsid;
}
And I can simply use it in my login action like this:
if ($c->authenticate( { username => $user, password => $pass } )) {
$c->change_session_id;
...
}
ad 2) - despite the fact that it seems to be as simple as creating a new
session - it is not (at least I was not able to easily: delete-create).
We are gonna call it after authenticate() and we cannot just drop all
session data because after authenticate the session data contains info
like '__user' etc. that we want to keep. I have not found out "nice"
solution - this is just sort of idea:
sub restart_session {
my $c = shift;
my $newsid = $c->change_session_id; # new session id (clears session
data from store)
$c->_clear_session_instance_data; # clear session_instance data
$c->initialize_session_data; # store __created __updated
__address
$c->persist_user if ($c->user); # store __user_realm __user
return $newsid;
}
And I can again simply use it in my login action like this:
if ($c->authenticate( { username => $user, password => $pass } )) {
$c->restart_session;
...
}
To be honest it is still quite hard for me to follow the whole catalyst
session stuff thus my suggestion might be slightly out of a cat session
concept. Any feedback welcome.
--
kmx
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
