Hi all! I took over maintenance of AxKit::XSP::BasicSession some time ago from Mike Nachbaur, who wrote it. Recently, we have discovered it has some really bad issues. We have discussed the problems in the usual dahut hangouts, but well, the short story is that none of us grok tie-ing well enough to find our way out of this. I therefore turn to you for enlightenment... This module isn't just used by me, so many will be thankful even if you don't hear it... :-)
The code in question can be inspected (and check out) in my SVN repository: http://svn.kjernsmo.net/AxKit-XSP-BasicSession/trunk/lib/AxKit/XSP/BasicSession.pm http://svn.kjernsmo.net/AxKit-XSP-BasicSession/trunk/lib/Apache/AxKit/Plugin/BasicSession.pm and on CPAN: http://search.cpan.org/~kjetilk/AxKit-XSP-BasicSession-0.23_3/ Also, I filed a bug against my own package at RT, just so that people would know that there are issues: https://rt.cpan.org/NoAuth/Bug.html?id=12473 The description isn't quite accurate, and I have recently seen DoS problems with it, so this is really nasty... To elaborate on some details from there, things go wrong when we invalidate a session, as the session is supposed to be untied. However, as described in the Camel Book (pp. 395), this can't happen because we still have references to the tied object. The problem is that we don't understand _why_ we have references to the tied object. The two important packages here is an XSP taglib and an AxKit Plugin, each playing different roles, they are the two links above. The %session hash has been implemented as a package global in the Plugin. The Plugin has a handler and a cleanup method. We attempt to untie the session of there are references in the beginning of the handler, and this is where it fails when it goes wrong. If you look at the invalidate "method" in the XSP, you'll see that it tries to invalidate the session by calling delete on the tied object, and then calls the handler again. This is, I think, a necessity, but it raises my suspicions that there are references left by this that I don't see... I think this is where the problem lies buried, but there is a chance it is in other parts of the code, of course. Your eyeballs will be much appreciated. More than anything else, the problem here is that we don't grok ties, so it is a rather general Perl question. Nevertheless, the rest of the herd felt this would be the right forum to ask. Anxiously hoping for enlightenment, Kjetil -- Kjetil Kjernsmo Programmer/Astrophysicist/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
