Skip Menu |
 

This queue is for tickets about the CGI-Session CPAN distribution.

Report information
The Basics
Id: 34280
Status: resolved
Priority: 0/
Queue: CGI-Session

People
Owner: MARKSTOS [...] cpan.org
Requestors: mail [...] adtim.ru
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 5BC7E4D80DE for <bug-CGI-Session [...] rt.cpan.org>; Thu, 20 Mar 2008 07:48:15 -0400 (EDT)
Received: (qmail 27344 invoked from network); 20 Mar 2008 11:48:14 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 20 Mar 2008 11:48:14 -0000
Received: from Unknown (HELO adtim.ru) (194.186.11.158) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Thu, 20 Mar 2008 04:48:08 -0700
Received: (qmail 47152 invoked by uid 89); 20 Mar 2008 11:47:04 -0000
Received: from unknown (HELO ?89.178.104.213?) (ya [...] adtim.ru [...] 89.178.104.213) by 194.186.11.158 with ESMTPA; 20 Mar 2008 11:47:04 -0000
Delivered-To: cpan-bug+CGI-Session [...] diesel.bestpractical.com
Subject: Incorrect session ID for subdomain
MIME-Version: 1.0
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
X-Spam-Status: No, hits=-2.5 required=8.0 tests=BAYES_00,RDNS_NONE,SPF_HELO_PASS,SPF_PASS
Return-Path: <mail [...] adtim.ru>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-CGI-Session [...] rt.cpan.org
Date: Thu, 20 Mar 2008 14:47:06 +0300
X-Spam-Level: *
Message-Id: <47E24EBA.6030601 [...] adtim.ru>
content-type: text/plain; charset="utf-8"; format="flowed"
To: bug-CGI-Session [...] rt.cpan.org
Content-Transfer-Encoding: 7bit
From: Тимур Кондратьев <mail [...] adtim.ru>
X-RT-Original-Encoding: windows-1251
Content-Length: 636
Download (untitled) / with headers
text/plain 636b
Hello. I have 2 different sites: site.com and sub.site.com both using CGI::Session When I go to sub.site.com there are 2 session cookies are being sent, first with Host: .site.com and second with Host: sub.site.com The problem is CGI::Session use first cookie, which isn't valid for sub.site.com, thus creating new session each time you hit sub.site.com Changing $CGI::Session::NAME is not the option cause both sites run on same server under mod_perl persistent environment. Versions: # $Id: Session.pm 353 2006-12-05 02:10:19Z markstos $ $CGI::Session::VERSION 4.20 This is perl, v5.8.8 built for i386-freebsd-64int Thank you.
CC: bug-CGI-Session [...] rt.cpan.org
MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00,SPF_PASS
In-Reply-To: <1206069850.4323.121.camel [...] zoe.savage.net.au>
References: <47E282B4.6010704 [...] summersault.com> <1206069850.4323.121.camel [...] zoe.savage.net.au>
Content-Type: text/plain; charset="utf-8"; format="flowed"
X-RT-Original-Encoding: us-ascii
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 92CA24D8070 for <bug-CGI-Session [...] rt.cpan.org>; Fri, 21 Mar 2008 11:30:54 -0400 (EDT)
Received: (qmail 13396 invoked from network); 21 Mar 2008 15:30:53 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 21 Mar 2008 15:30:53 -0000
Received: from tanagra.summersault.com (HELO tanagra.summersault.com) (12.161.105.149) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with SMTP; Fri, 21 Mar 2008 08:30:47 -0700
Received: (qmail 47934 invoked from network); 21 Mar 2008 11:31:16 -0400
Received: from simba.summersault.com (192.168.97.182) by tanagra.summersault.com with SMTP; 21 Mar 2008 11:31:16 -0400
Delivered-To: cpan-bug+CGI-Session [...] diesel.bestpractical.com
Subject: Re: [Cgi-session-user] [Fwd: [rt.cpan.org #34280] Incorrect session ID for subdomain]
User-Agent: Thunderbird 2.0.0.6 (X11/20071022)
Return-Path: <mark [...] summersault.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-CGI-Session [...] rt.cpan.org
Date: Fri, 21 Mar 2008 11:35:02 -0400
X-Spam-Level: *
Message-Id: <47E3D5A6.5010100 [...] summersault.com>
To: List - CGI::Session <cgi-session-user [...] lists.sourceforge.net>
X-Enigmail-Version: 0.95.6
Content-Transfer-Encoding: 7bit
From: Mark Stosberg <mark [...] summersault.com>
X-RT-Original-Encoding: utf-8
RT-Message-ID: <rt-3.6.HEAD-23846-1206113462-1263.34280-0-0 [...] rt.cpan.org>
Content-Length: 1109
Show quoted text
> o Digression: Line 93 of CGI::Cookie is: > s/\s*(.*?)\s*/$1/; > whereas line 34 of CGI::Simple::Cookie is: > $pair =~ s/^\s+|\s+$//; # trim leading trailing whitespace > You can see there's a missing /g on this last line, since it removes > either leading or trailing spaces, but not both. I'll log a bug report.
Great catch, Ron! Show quoted text
> Whose responsibility is it to ensure only cookies for the 'current' > domain are retrieved from the headers sent by the client? I suppose the > client should only be sending 'relevant' cookies. Perhaps in OP's > situation, both cookies are relevant?
I did the Perlmonks.org test of logging in both with and without the "www" and then checking the cookies set when I visit "www". Two cookies are sent. Firefox sent "perlmonks.org" first, and then "www.perlmonks.org" second. I also read the Cookie RFC to see if there is a "right" order to send and parse cookies in, and it appears there is not. Therefore, I think this is not a bug at all, but the user's burden to check the domain in this case and make sure they have the right cookie. Mark
MIME-Version: 1.0
In-Reply-To: <47E24EBA.6030601 [...] adtim.ru>
X-Mailer: MIME-tools 5.418 (Entity 5.418)
Content-Disposition: inline
Charset: utf8
References: <47E24EBA.6030601 [...] adtim.ru>
Message-Id: <rt-3.6.HEAD-23866-1206113515-571.34280-0-0 [...] rt.cpan.org>
Content-Type: text/plain
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Original-Encoding: utf-8
Content-Length: 244
Download (untitled) / with headers
text/plain 244b
This is a bug in CGI::Session. It is the user's responsibility to check the domains and select the right cookie if necessary. You could consider giving the cookies different names in those different contexts to further avoid confusion. Mark


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.