Re: Problems getting session management to work: is

in reply to Problems getting session management to work: is_expired seems to lie to me

Looking at the source-code of CGI::Session using the CPAN link, we can confirm that yes, the value of is_expired() is useful only after a load() call, since it is setting several bit-flags using the (alas, “thawed” and therefore not so easily readable) database data, viz:

    # checking for expiration ticker
    if ( $self->{_DATA}->{_SESSION_ETIME} ) {
        if ( ($self->{_DATA}->{_SESSION_ATIME} + $self->{_DATA}->{_SES
+SION_ETIME}) <= time() ) {
            $self->_set_status( STATUS_EXPIRED |    # <-- so client ca
+n detect expired sessions
                STATUS_DELETED );                   # <-- session shou
+ld be removed from database
            $self->flush();                         # <-- flush() will
+ do the actual removal!
            return $self;
        }
    }
[download]

flush() is visibly a very-important call, responsible for creating, updating, and removing the underlying database record.

Now, we notice that this code is acting upon information that has been saved previously in the database, in the “frozen” blob of data ... if it is there! But, as Corion probably already intuited, there is a very good chance that it isn’t.

The POD documentation says (in the second sentence of “a warning about auto-flushing,” that: Explicit flushing after key session updates is recommended. And this is precisely what I would now suggest that you do. In the } else { part, after you have created the session, set its expiration-time and two parameters, flush() now. Don’t just add a line at the end of the module and hope for the best. As soon as you have made any changes that you want to be permanently fixed in the database, flush. Do this as-needed in both the “session found“ and the “new session” cases, erring as-needed on the side of caution, and I suspect that your troubles will vanish. (And if I’m right, Corion beat me to it.)

Comment on Re: Problems getting session management to work: is_expired seems to lie to me Download Code

Replies are listed 'Best First'.
Re^2: Problems getting session management to work: is_expired seems to lie to me by ted.byers (Monk) on May 06, 2013 at 22:40 UTC
Thanks, this is actually helpful, and leads to a couple other questions. The code where the session has been created has now been changed to: `$session = CGI::Session->new('driver:mysql',$query,{ DataSource => +'dbi:mysql:profitorius', User => 'rejbyers', Password => 'Didr39Qcab' }); $session->expire("5m"); $session->param('qwerty',12345); $session->param('zxcvb',98765); $session->flush;` [download] That is the only place in my code where the session data is actually changed, except when load updates the time when the session will next expire, if not accessed before that time. Alas, this change did not change the behaviour I see, implying your first guess, and Corion's, is incorrect. I do, and have always, seen the session parameters I'd set when I accessed the page before the session timed out, so I know that that data had been stored, and thus I am not especially surprised that adding the fluch earlier in the call sequence didn't change anything. But, my first question to you, since you have gone through that code, is, "Is the code you quoted responsible for the fact that I see the session empty in the call to is_empty, as I had suspected all along (an expection that should also be inferable from the code you quoted)? Second, and more importantly, is there any chance that the lines that set the status to 'STATUS_DELETED', followed by a flush, could have unintentionally removed the 'STATUS_EXPIRED ' status (I am thinking maybe in the call to flush, but I haven't dug into the bowels of that code). Thanks Ted	[reply] [d/l]
Re^3: Problems getting session management to work: is_expired seems to lie to me by ted.byers (Monk) on May 06, 2013 at 23:42 UTC
I did some digging of my own. Here is what I found. Function load begins: sub load { my $class = shift; return $class->set_error( "called as instance method") if ref $ +class; return $class->set_error( "Too many arguments provided to load()") + if @_ > 5; my $self = bless { _DATA => { _SESSION_ID => undef, _SESSION_CTIME => undef, _SESSION_ATIME => undef, _SESSION_REMOTE_ADDR => $ENV{REMOTE_ADDR} \|\| "", # # Following two attributes may not exist in every single s +ession, and declaring # them now will force these to get serialized into databas +e, wasting space. But they # are here to remind the coder of their purpose # # _SESSION_ETIME => undef, # _SESSION_EXPIRE_LIST => {} }, # session data _DSN => {}, # parsed DSN params _OBJECTS => {}, # keeps necessary objects _DRIVER_ARGS=> {}, # arguments to be passed to driver _CLAIMED_ID => undef, # id claimed by client _STATUS => STATUS_UNSET,# status of the session object _QUERY => undef # query object }, $class; [download] Here we see that _STATUS is part of _DATA. Then, a little further on in load, where it checks for whether or not the session has timed out, we have: `# checking for expiration ticker if ( $self->{_DATA}->{_SESSION_ETIME} ) { if ( ($self->{_DATA}->{_SESSION_ATIME} + $self->{_DATA}->{_SES +SION_ETIME}) <= time() ) { $self->_set_status( STATUS_EXPIRED \| # <-- so client ca +n detect expired sessions STATUS_DELETED ); # <-- session shou +ld be removed from database $self->flush(); # <-- flush() will + do the actual removal! return $self; } }` [download] Which, I believe you quoted. But then in flush, we have: sub flush { my $self = shift; # Would it be better to die or err if something very basic is wron +g here? # I'm trying to address the DESTROY related warning # from: http://rt.cpan.org/Ticket/Display.html?id=17541 # return unless defined $self; return unless $self->id; # <-- empty session # neither new, nor deleted nor modified return if !defined($self->{_STATUS}) or $self->{_STATUS} == STATUS +_UNSET; if ( $self->_test_status(STATUS_NEW) && $self->_test_status(STATUS +_DELETED) ) { $self->{_DATA} = {}; return $self->_unset_status(STATUS_NEW \| STATUS_DELETED); } my $driver = $self->_driver(); my $serializer = $self->_serializer(); if ( $self->_test_status(STATUS_DELETED) ) { defined($driver->remove($self->id)) or return $self->set_error( "flush(): couldn't remove session + data: " . $driver->errstr ); $self->{_DATA} = {}; # <-- removing all + the data, making sure # it won't be acce +ssible after flush() return $self->_unset_status(STATUS_DELETED); } if ( $self->_test_status(STATUS_NEW \| STATUS_MODIFIED) ) { my $datastr = $serializer->freeze( $self->dataref ); unless ( defined $datastr ) { return $self->set_error( "flush(): couldn't freeze data: " + . $serializer->errstr ); } defined( $driver->store($self->id, $datastr) ) or return $self->set_error( "flush(): couldn't store datastr: + " . $driver->errstr); $self->_unset_status(STATUS_NEW \| STATUS_MODIFIED); } return 1; } [download] In the block that begins with "if ( $self->_test_status(STATUS_DELETED) ) {", we have "$self->{_DATA} = {};". Doesn't this have the effect of blowing away the "STATUS_EXPIRED" status, resulting in a false value being returned by is_expired because it is checking against a member in the hash that does not exist after the flush when the status has been given a status of DELETED? Thanks Ted	[reply] [d/l] [select]
Re^4: Problems getting session management to work: is_expired seems to lie to me by Anonymous Monk on May 06, 2013 at 23:44 UTC
No, status isn't part of data, see _set_status	[reply]
Re^5: Problems getting session management to work: is_expired seems to lie to me by ted.byers (Monk) on May 06, 2013 at 23:59 UTC
Re^6: Problems getting session management to work: is_expired seems to lie to me by Anonymous Monk on May 07, 2013 at 00:04 UTC

In Section Seekers of Perl Wisdom