Skip Menu | will be shut down on March 1st, 2021.

This queue is for tickets about the CGI-Session CPAN distribution.

Report information
The Basics
Id: 34280
Status: resolved
Priority: 0/
Queue: CGI-Session

Owner: MARKSTOS [...]
Requestors: mail [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Received: from ( []) by (Postfix) with SMTP id 5BC7E4D80DE for <bug-CGI-Session [...]>; Thu, 20 Mar 2008 07:48:15 -0400 (EDT)
Received: (qmail 27344 invoked from network); 20 Mar 2008 11:48:14 -0000
Received: from ( by with QMQP; 20 Mar 2008 11:48:14 -0000
Received: from Unknown (HELO ( by (qpsmtpd/0.43rc1) with ESMTP; Thu, 20 Mar 2008 04:48:08 -0700
Received: (qmail 47152 invoked by uid 89); 20 Mar 2008 11:47:04 -0000
Received: from unknown (HELO ? (ya [...] [...] by with ESMTPA; 20 Mar 2008 11:47:04 -0000
Delivered-To: cpan-bug+CGI-Session [...]
Subject: Incorrect session ID for subdomain
MIME-Version: 1.0
User-Agent: Thunderbird (Windows/20080213)
X-Spam-Status: No, hits=-2.5 required=8.0 tests=BAYES_00,RDNS_NONE,SPF_HELO_PASS,SPF_PASS
Return-Path: <mail [...]>
X-Original-To: bug-CGI-Session [...]
Date: Thu, 20 Mar 2008 14:47:06 +0300
X-Spam-Level: *
Message-Id: <47E24EBA.6030601 [...]>
content-type: text/plain; charset="utf-8"; format="flowed"
To: bug-CGI-Session [...]
Content-Transfer-Encoding: 7bit
From: Тимур Кондратьев <mail [...]>
X-RT-Original-Encoding: windows-1251
Content-Length: 636
Download (untitled) / with headers
text/plain 636b
Hello. I have 2 different sites: and both using CGI::Session When I go to there are 2 session cookies are being sent, first with Host: and second with Host: The problem is CGI::Session use first cookie, which isn't valid for, thus creating new session each time you hit Changing $CGI::Session::NAME is not the option cause both sites run on same server under mod_perl persistent environment. Versions: # $Id: 353 2006-12-05 02:10:19Z markstos $ $CGI::Session::VERSION 4.20 This is perl, v5.8.8 built for i386-freebsd-64int Thank you.
CC: bug-CGI-Session [...]
MIME-Version: 1.0
X-Spam-Status: No, hits=-2.6 required=8.0 tests=BAYES_00,SPF_PASS
In-Reply-To: <1206069850.4323.121.camel [...]>
References: <47E282B4.6010704 [...]> <1206069850.4323.121.camel [...]>
Content-Type: text/plain; charset="utf-8"; format="flowed"
X-RT-Original-Encoding: us-ascii
Received: from ( []) by (Postfix) with SMTP id 92CA24D8070 for <bug-CGI-Session [...]>; Fri, 21 Mar 2008 11:30:54 -0400 (EDT)
Received: (qmail 13396 invoked from network); 21 Mar 2008 15:30:53 -0000
Received: from ( by with QMQP; 21 Mar 2008 15:30:53 -0000
Received: from (HELO ( by (qpsmtpd/0.43rc1) with SMTP; Fri, 21 Mar 2008 08:30:47 -0700
Received: (qmail 47934 invoked from network); 21 Mar 2008 11:31:16 -0400
Received: from ( by with SMTP; 21 Mar 2008 11:31:16 -0400
Delivered-To: cpan-bug+CGI-Session [...]
Subject: Re: [Cgi-session-user] [Fwd: [ #34280] Incorrect session ID for subdomain]
User-Agent: Thunderbird (X11/20071022)
Return-Path: <mark [...]>
X-Original-To: bug-CGI-Session [...]
Date: Fri, 21 Mar 2008 11:35:02 -0400
X-Spam-Level: *
Message-Id: <47E3D5A6.5010100 [...]>
To: List - CGI::Session <cgi-session-user [...]>
X-Enigmail-Version: 0.95.6
Content-Transfer-Encoding: 7bit
From: Mark Stosberg <mark [...]>
X-RT-Original-Encoding: utf-8
RT-Message-ID: <rt-3.6.HEAD-23846-1206113462-1263.34280-0-0 [...]>
Content-Length: 1109
Show quoted text
> o Digression: Line 93 of CGI::Cookie is: > s/\s*(.*?)\s*/$1/; > whereas line 34 of CGI::Simple::Cookie is: > $pair =~ s/^\s+|\s+$//; # trim leading trailing whitespace > You can see there's a missing /g on this last line, since it removes > either leading or trailing spaces, but not both. I'll log a bug report.
Great catch, Ron! Show quoted text
> Whose responsibility is it to ensure only cookies for the 'current' > domain are retrieved from the headers sent by the client? I suppose the > client should only be sending 'relevant' cookies. Perhaps in OP's > situation, both cookies are relevant?
I did the test of logging in both with and without the "www" and then checking the cookies set when I visit "www". Two cookies are sent. Firefox sent "" first, and then "" second. I also read the Cookie RFC to see if there is a "right" order to send and parse cookies in, and it appears there is not. Therefore, I think this is not a bug at all, but the user's burden to check the domain in this case and make sure they have the right cookie. Mark
MIME-Version: 1.0
In-Reply-To: <47E24EBA.6030601 [...]>
X-Mailer: MIME-tools 5.418 (Entity 5.418)
Content-Disposition: inline
Charset: utf8
References: <47E24EBA.6030601 [...]>
Message-Id: <rt-3.6.HEAD-23866-1206113515-571.34280-0-0 [...]>
Content-Type: text/plain
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Original-Encoding: utf-8
Content-Length: 244
Download (untitled) / with headers
text/plain 244b
This is a bug in CGI::Session. It is the user's responsibility to check the domains and select the right cookie if necessary. You could consider giving the cookies different names in those different contexts to further avoid confusion. Mark

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to