Re: [Catalyst] Duplicate session ids
On Sat, May 26, 2007 at 03:49:23PM -0700, mla wrote: Try changing Catalyst::Plugin::Session::finalize() to this: sub finalize { my $c = shift; $c-NEXT::finalize(@_); $c-finalize_session; } Just flipped the calls so it finalizes last. Seems to fix it. That's what .16 now has. But, if finalize calls finalize_headers then calling finalize_session after that is too late to get the cookies in the response. Which is why I'm not seeing a cookie in the response. Well, I get a cookie sent on the first request. I assume that's because my first request is asking for session info (when there is not yet) which ends up calling set_session_id and that calls update_session_cookie. But once I have a cookie (and thus a session) no more cookies are sent. The problem I had was I wanted access to the session data while processing cookies which by that time the session data had been cleared.[1] Should it be like this instead? sub finalize { my $c = shift; $c-finalize_session; $c-NEXT::finalize(@_); $c-_clear_session_instance_data; } sub finalize_session { my $c = shift; $c-NEXT::finalize_session; $c-_save_session_id; $c-_save_session; $c-_save_flash; $c-_save_session_expires; } [1] The result was when I tried to access the session a new session would then be created -- so my session id was ever-changing and I could never log in. -- Bill Moseley [EMAIL PROTECTED] ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Duplicate session ids
On 5/26/07, Bill Moseley [EMAIL PROTECTED] wrote: Perhaps an easier way to show the problem with duplicate created sessions would help. Do you mean duplicate or multiple? The session ID generation code in Catalyst::Plugin::Session does look like it could generate duplicates to me, but that would be rare and unpredictable. - Perrin ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Duplicate session ids
On 5/26/07, Jonathan Rockway [EMAIL PROTECTED] wrote: Please keep in mind that by rare, he means that you would have to generate 2317195645184714165087019331424 sessions per second for 100 years in order to have a 50% chance of colliding with an existing session. Or you could have it happen on the first try. It's just probability. If duplicate session IDs are a major concern for your application, generating them from mod_unique_id or a database sequence should prevent the possibility, and verifying your cookies with a MAC of some kind will prevent people from taking advantage of predictable IDs. It doesn't sound like this is the problem Bill was talking about though. - Perrin ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Duplicate session ids
mla wrote: Bill Moseley wrote: On Sat, May 26, 2007 at 04:08:48PM -0400, Perrin Harkins wrote: On 5/26/07, Bill Moseley [EMAIL PROTECTED] wrote: Perhaps an easier way to show the problem with duplicate created sessions would help. Do you mean duplicate or multiple? The session ID generation code in Catalyst::Plugin::Session does look like it could generate duplicates to me, but that would be rare and unpredictable. Ya, sorry. Multiple. It's generating one session id, storing values under that ID, then creating a new session id and then sending that as the cookie. So when the browser returns that cookie none of the session data is there. I think I see what's happening. Try changing Catalyst::Plugin::Session::finalize() to this: sub finalize { my $c = shift; $c-NEXT::finalize(@_); $c-finalize_session; } Just flipped the calls so it finalizes last. Seems to fix it. I still think it might be a good idea to keep track of whether the finalize has happened and raise an exception if it's used. Maurice ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Duplicate session ids
On Sat, May 26, 2007 at 03:00:31PM -0700, mla wrote: The problem is that the finalize() process calls the Catalyst::Plugin::Session-finalize_session before finalize_cookies() is called. And finalize_session() calls $c-_clear_session_instance_data after saving. So by the time your finalize_cookies() is called, the session has been saved and cleared. When you call $c-session in finalize_cookies(), it's unaware that the session ever existed, so a new one is created. Ah, I see. This is new behavior at some point -- just not sure when or what I upgraded to make it show up. Just could not log into the application. Took a few hours to just figure out it was my access of the session in finalize cookies that was causing the problem. Amazing what a thirst for a cold beverage that can generate. I don't know what the proper fix is. I'm still trying to understand the whole process flow. Maybe $c-session should raise an exception if it's already been saved. And then should the session try to finalize later (dunno if that's even possible). Yes, it's a bit of a task winding through all the modules and recent check-ins looking for what change caused the problem. I still have a stray debugging statement I added that I need to track down. ;) I was really wishing for some fine grain debugging statements already in the code I could turn on so I could see the flow of the session management process during the request. Even some comments in the code would be helpful. I just have not had time to get back to it. -- Bill Moseley [EMAIL PROTECTED] ___ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/