Skip Menu |

This queue is for tickets about the Apache-Session-Wrapper CPAN distribution.

Report information
The Basics
Id: 78203
Status: open
Priority: 0/
Queue: Apache-Session-Wrapper

Owner: Nobody in particular
Requestors: gregoa [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

From: gregoa [...]
Subject: use_cookie + allow_invalid_id doesn't work with malformed cookies
Download (untitled) / with headers
text/plain 118b
This bug has been forwarded from Thanks in advance, gregor herrmann, Debian Perl Group
Oops, there's something missing: From : From: Alexander Zangerl <> To: Debian Bug Tracking System <> Subject: Bug#680186: use_cookie + allow_invalid_id doesn't work with malformed cookies Date: Wed, 04 Jul 2012 20:25:57 +1000 Reply-To: Alexander Zangerl <>, if a client sends a totally malformed cookie then Apache2::Cookie::Jar dies (either on construction or on access using cookies()) and the session wrapper dies as well, regardless of allow_invalid_id being on or not. furthermore, if the format of the cookie value is syntactically correct but doesn't match the format wanted by the respective session module, then the validation function in the id generator module dies - and the wrapper doesn't catch that and dies, disregarding allow_invalid_id. the attached tiny patch takes care of both issues: by catching exceptions on cookie access, and by looking for the "invalid id" indicators provided by the session id generator modules. regards az The patch can be found in the Debian Bug report.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to