This queue is for tickets about the CGI-Session CPAN distribution.

Report information
The Basics
Id:
29138
Status:
resolved
Priority:
Low/Low
Queue:
CGI-Session
People
Owner:
MARKSTOS [...] cpan.org
Requestors:
nick [...] andrews-consultancy.com
Cc:
AdminCc:
BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)

History
Mon Sep 03 14:13:42 2007 nick [...] andrews-consultancy.com - Ticket created
Subject: New bug report for CGI::Session
Date: Mon, 3 Sep 2007 19:01:30 +0100
To: <bug-CGI-Session@rt.cpan.org>
From: "Nick Andrews" <nick@andrews-consultancy.com>


Message
Hi Mark,
 
I believe I've found a new bug in CGI::Session (v4.20). I have been able to 
replicate this issue reliably across platforms (Win and Unix) and have identified
the cause of the problem and a proposed fix.
 
The issue arises as follows:
 
- You're using -ip_match
- You have an existing session
- Your IP has changed since your last session
 
Here's my analysis of what happens next:
 
- Browser presents session ID in the cookie
 
- Call to new() detects that the IP doesn't match, deletes session, creates a new one
 
- The new session thus created in this scenario is always *missing* the
_SESSION_REMOTE_ADDR parameter. This is where the bug lies.
 
- For this reason all subsequent requests then follow the same pattern: IP doesn't match
(because there now isn't one in the session), a new session is created (again without an IP),
and the result is a broken session which never 'sticks'.
 
Looking at the code I believe this is fixed by the addition of the following 1 extra line
after line 82:
 
$dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} || "";
 
I hope that my analysis is correct, and that this will enable the posting of
a corrected version of the module.
 
Best wishes,
Nick Andrews
 
Fri Feb 15 15:24:43 2008 bf.mbox [...] gmail.com - Correspondence added
From: bf.mbox@gmail.com

Nick, Could you please be specific as to which file you are fixing? I am having similar problems and do not see a follow up to this report. (A context diff would be useful) Another case to consider is when a browser has been closed and the session cookie is deleted, then the browser is restarted and CGI::Session does not have a session id cookie. Thanks, Barry Friedman On Mon Sep 03 14:13:42 2007, nick@andrews-consultancy.com wrote:
Show quoted text
> > Looking at the code I believe this is fixed by the addition of the > following 1 extra line > after line 82: > > $dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} || ""; > > I hope that my analysis is correct, and that this will enable the > posting of > a corrected version of the module. > > Best wishes, > Nick Andrews >
Fri Feb 15 15:24:47 2008 The RT System itself - Status changed from 'new' to 'open'
Mon Feb 18 10:15:17 2008 mark [...] summersault.com - Correspondence added
CC: cgi-session-user@lists.sf.net
Subject: Re: [rt.cpan.org #29138] New bug report for CGI::Session
Date: Mon, 18 Feb 2008 10:14:27 -0500
To: bug-CGI-Session@rt.cpan.org
From: Mark Stosberg <mark@summersault.com>

This change looks OK to me. However, I'm about to have a baby any day (hour?) now, so if someone else could update the code, tests and changelog for this, that would be appreciated. (Antirice, still there?) Just post a patch in "diff -u" format as an attachment to this bug report, or commit directly if you have access. Mark Barry Friedman via RT wrote:
Show quoted text
> Queue: CGI-Session > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=29138 > > > Nick, > > Could you please be specific as to which file you are fixing? > I am having similar problems and do not see a follow up to this > report. (A context diff would be useful) > > Another case to consider is when a browser has been closed and the > session cookie is deleted, then the browser is restarted and > CGI::Session does not have a session id cookie. > > Thanks, > Barry Friedman > > On Mon Sep 03 14:13:42 2007, nick@andrews-consultancy.com wrote:
>> >> Looking at the code I believe this is fixed by the addition of the >> following 1 extra line >> after line 82: >> >> $dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} || ""; >> >> I hope that my analysis is correct, and that this will enable the >> posting of >> a corrected version of the module. >> >> Best wishes, >> Nick Andrews >>
> > >
-- . . . . . . . . . . . . . . . . . . . . . . . . . . . Mark Stosberg Principal Developer mark@summersault.com Summersault, LLC 765-939-9301 ext 202 database driven websites . . . . . http://www.summersault.com/ . . . . . . . .
Sat Mar 15 22:04:24 2008 MARKSTOS [...] cpan.org - Taken
Sat Mar 15 22:05:00 2008 MARKSTOS [...] cpan.org - Correspondence added

Ron Savage said this resolved in our code repository now. Mark
Sat Mar 15 22:05:03 2008 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'

This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.