Subject: | New bug report for CGI::Session |
Date: | Mon, 3 Sep 2007 19:01:30 +0100 |
To: | <bug-CGI-Session@rt.cpan.org> |
From: | "Nick Andrews" <nick@andrews-consultancy.com> |
Message
Hi
Mark,
I believe I've found
a new bug in CGI::Session (v4.20). I have been able
to
replicate this issue
reliably across platforms (Win and Unix) and have identified
the cause of
the problem and a proposed fix.
The
issue arises as follows:
- You're using
-ip_match
- You have an
existing session
- Your IP has
changed since your last session
Here's my analysis
of what happens next:
- Browser presents
session ID in the cookie
- Call to new()
detects that the IP doesn't match, deletes session, creates a new
one
- The new session
thus created in this scenario is
always *missing* the
_SESSION_REMOTE_ADDR parameter. This is where the bug
lies.
- For this reason
all subsequent requests then follow the same pattern: IP doesn't
match
(because there now
isn't one in the session), a new session is created (again without
an IP),
and the result is a
broken session which never 'sticks'.
Looking at the code
I believe this is fixed by the addition of the following 1 extra
line
after line
82:
$dataref->{_SESSION_REMOTE_ADDR} = $ENV{REMOTE_ADDR} ||
"";
I hope
that my analysis is correct, and that this will enable the posting
of
a
corrected version of the module.
Best
wishes,
Nick
Andrews