Skip Menu |

This queue is for tickets about the CGI-Session CPAN distribution.

Report information
The Basics
Id: 34280
Status: resolved
Priority: 0/
Queue: CGI-Session

Owner: MARKSTOS [...]
Requestors: mail [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: Incorrect session ID for subdomain
Date: Thu, 20 Mar 2008 14:47:06 +0300
To: bug-CGI-Session [...]
From: Тимур Кондратьев <mail [...]>
Download (untitled) / with headers
text/plain 636b
Hello. I have 2 different sites: and both using CGI::Session When I go to there are 2 session cookies are being sent, first with Host: and second with Host: The problem is CGI::Session use first cookie, which isn't valid for, thus creating new session each time you hit Changing $CGI::Session::NAME is not the option cause both sites run on same server under mod_perl persistent environment. Versions: # $Id: 353 2006-12-05 02:10:19Z markstos $ $CGI::Session::VERSION 4.20 This is perl, v5.8.8 built for i386-freebsd-64int Thank you.
CC: bug-CGI-Session [...]
Subject: Re: [Cgi-session-user] [Fwd: [ #34280] Incorrect session ID for subdomain]
Date: Fri, 21 Mar 2008 11:35:02 -0400
To: List - CGI::Session <cgi-session-user [...]>
From: Mark Stosberg <mark [...]>
Show quoted text
> o Digression: Line 93 of CGI::Cookie is: > s/\s*(.*?)\s*/$1/; > whereas line 34 of CGI::Simple::Cookie is: > $pair =~ s/^\s+|\s+$//; # trim leading trailing whitespace > You can see there's a missing /g on this last line, since it removes > either leading or trailing spaces, but not both. I'll log a bug report.
Great catch, Ron! Show quoted text
> Whose responsibility is it to ensure only cookies for the 'current' > domain are retrieved from the headers sent by the client? I suppose the > client should only be sending 'relevant' cookies. Perhaps in OP's > situation, both cookies are relevant?
I did the test of logging in both with and without the "www" and then checking the cookies set when I visit "www". Two cookies are sent. Firefox sent "" first, and then "" second. I also read the Cookie RFC to see if there is a "right" order to send and parse cookies in, and it appears there is not. Therefore, I think this is not a bug at all, but the user's burden to check the domain in this case and make sure they have the right cookie. Mark
Download (untitled) / with headers
text/plain 244b
This is a bug in CGI::Session. It is the user's responsibility to check the domains and select the right cookie if necessary. You could consider giving the cookies different names in those different contexts to further avoid confusion. Mark

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to