I'm running a web application under Apache::Register and mod_perl 1 -- using CGI::Application, Class::DBI and Template Toolkit.
I have a question on package globals. My expectation is that each instance of the Apache intrepeter will have its own copy of the package globals. I.e. in any given thread I can assign to a package variable and have it be unchanged for the remainder of the request. However I'm seeing weird behavior that could be explained by the value changing.
I am extracting the currently logged in user from an encoded cookie in my CGI::App code and setting a package variable value on every invocation: package TestApp; use base 'CGI::Application'; use vars qw( $user );
sub cgiapp_prerun { my $self = shift; my $runmode = shift; $user = $self->query->cookie('user'); ...
I want to keep the currently logged in user as a global because I have Template toolkit callbacks to the Class::DBI object and they perform authorization checks (e.g. an employee's ssn should not be visible to other users): package Employee; use base 'Class::DBI::mysql'; __PACKAGE__->set_db('Main', "dbi:mysql:test", $dbacct, $dbpw); __PACKAGE__->set_up_table('employee'); sub ssn { my $self = shift; return $self->name eq $TestApp::user ? $self->get('ssn') : "Private"; }
My users have seen instances where they see the private info of other users, as if the package var $user had been set to something other than themself.
I would expect $user to remain unchanged, even if another user hit the website simultaneously -- their access would set $user of another thread. Or am I missing something big (would the different apache children share package globals???)
If my understanding is correct, then I've got a bug elsewhere in my code. I'm in the progress of migrating to modperl 2/Apache 2, so comments on the same scenario in MP2 are of interest too...
Thanks, --Mike Carlton
-- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html