http://www.perlmonks.org?node_id=1032409


in reply to Re: Problems getting session management to work: is_expired seems to lie to me
in thread Problems getting session management to work: is_expired seems to lie to me

Thanks, this is actually helpful, and leads to a couple other questions.

The code where the session has been created has now been changed to:

  $session = CGI::Session->new('driver:mysql',$query,{ DataSource  => 
+'dbi:mysql:profitorius',
                              User        => 'rejbyers',
                              Password    => 'Didr39Qcab' });
  $session->expire("5m");
  $session->param('qwerty',12345);
  $session->param('zxcvb',98765);
  $session->flush;

[download]

That is the only place in my code where the session data is actually changed, except when load updates the time when the session will next expire, if not accessed before that time. Alas, this change did not change the behaviour I see, implying your first guess, and Corion's, is incorrect. I do, and have always, seen the session parameters I'd set when I accessed the page before the session timed out, so I know that that data had been stored, and thus I am not especially surprised that adding the fluch earlier in the call sequence didn't change anything.

But, my first question to you, since you have gone through that code, is, "Is the code you quoted responsible for the fact that I see the session empty in the call to is_empty, as I had suspected all along (an expection that should also be inferable from the code you quoted)? Second, and more importantly, is there any chance that the lines that set the status to 'STATUS_DELETED', followed by a flush, could have unintentionally removed the 'STATUS_EXPIRED ' status (I am thinking maybe in the call to flush, but I haven't dug into the bowels of that code).

Thanks

Ted

  • Comment on Re^2: Problems getting session management to work: is_expired seems to lie to me
  • Download Code

Replies are listed 'Best First'.
Re^3: Problems getting session management to work: is_expired seems to lie to me
by ted.byers (Monk) on May 06, 2013 at 23:42 UTC

    I did some digging of my own. Here is what I found.

    Function load begins:

    sub load {
    my $class = shift;
    return $class->set_error( "called as instance method")    if ref $
+class;
    return $class->set_error( "Too many arguments provided to load()")
+  if @_ > 5;

    my $self = bless {
        _DATA       => {
            _SESSION_ID     => undef,
            _SESSION_CTIME  => undef,
            _SESSION_ATIME  => undef,
            _SESSION_REMOTE_ADDR => $ENV{REMOTE_ADDR} || "",
            #
            # Following two attributes may not exist in every single s
+ession, and declaring
            # them now will force these to get serialized into databas
+e, wasting space. But they
            # are here to remind the coder of their purpose
            #
#            _SESSION_ETIME  => undef,
#            _SESSION_EXPIRE_LIST => {}
        },          # session data
        _DSN        => {},          # parsed DSN params
        _OBJECTS    => {},          # keeps necessary objects
        _DRIVER_ARGS=> {},          # arguments to be passed to driver
        _CLAIMED_ID => undef,       # id **claimed** by client
        _STATUS     => STATUS_UNSET,# status of the session object
        _QUERY      => undef        # query object
    }, $class;

    [download]

    Here we see that _STATUS is part of _DATA. Then, a little further on in load, where it checks for whether or not the session has timed out, we have:

        # checking for expiration ticker
    if ( $self->{_DATA}->{_SESSION_ETIME} ) {
        if ( ($self->{_DATA}->{_SESSION_ATIME} + $self->{_DATA}->{_SES
+SION_ETIME}) <= time() ) {
            $self->_set_status( STATUS_EXPIRED |    # <-- so client ca
+n detect expired sessions
                STATUS_DELETED );                   # <-- session shou
+ld be removed from database
            $self->flush();                         # <-- flush() will
+ do the actual removal!
            return $self;
        }
    }

    [download]

    Which, I believe you quoted. But then in flush, we have:

    sub flush {
    my $self = shift;

    # Would it be better to die or err if something very basic is wron
+g here? 
    # I'm trying to address the DESTROY related warning
    # from: http://rt.cpan.org/Ticket/Display.html?id=17541
    # return unless defined $self;

    return unless $self->id;            # <-- empty session
    
    # neither new, nor deleted nor modified
    return if !defined($self->{_STATUS}) or $self->{_STATUS} == STATUS
+_UNSET;

    if ( $self->_test_status(STATUS_NEW) && $self->_test_status(STATUS
+_DELETED) ) {
        $self->{_DATA} = {};
        return $self->_unset_status(STATUS_NEW | STATUS_DELETED);
    }

    my $driver      = $self->_driver();
    my $serializer  = $self->_serializer();

    if ( $self->_test_status(STATUS_DELETED) ) {
        defined($driver->remove($self->id)) or
            return $self->set_error( "flush(): couldn't remove session
+ data: " . $driver->errstr );
        $self->{_DATA} = {};                        # <-- removing all
+ the data, making sure
                                                    # it won't be acce
+ssible after flush()
        return $self->_unset_status(STATUS_DELETED);
    }

    if ( $self->_test_status(STATUS_NEW | STATUS_MODIFIED) ) {
        my $datastr = $serializer->freeze( $self->dataref );
        unless ( defined $datastr ) {
            return $self->set_error( "flush(): couldn't freeze data: "
+ . $serializer->errstr );
        }
        defined( $driver->store($self->id, $datastr) ) or
            return $self->set_error( "flush(): couldn't store datastr:
+ " . $driver->errstr);
        $self->_unset_status(STATUS_NEW | STATUS_MODIFIED);
    }
    return 1;
}

    [download]

    In the block that begins with "if ( $self->_test_status(STATUS_DELETED) ) {", we have "$self->{_DATA} = {};". Doesn't this have the effect of blowing away the "STATUS_EXPIRED" status, resulting in a false value being returned by is_expired because it is checking against a member in the hash that does not exist after the flush when the status has been given a status of DELETED?

    Thanks

    Ted

[reply]
[d/l]
[select]
      No, status isn't part of data, see _set_status
[reply]

        Sorry, my mistake. I misread it. But then, why does it have an incorrect value once the session expires? All of my colleagues see the same behaviour, in that they always see the session being empty, but they never get the right value from is_expired once the session has expired.

        Always, we create the sessions using:

          $session = CGI::Session->new('driver:mysql',$query,{ DataSource  => 
+'dbi:mysql:profitorius',
                              User        => 'rejbyers',
                              Password    => 'Didr39Qcab' });
  $session->expire("5m");

        [download]

        Obviously with different DB credentials and timeout value. And we check it always with something like:

          $session = CGI::Session->load('driver:mysql',$query,{ DataSource  =>
+ 'dbi:mysql:profitorius',
                              User        => 'rejbyers',
                              Password    => 'Didr39Qcab' });
  my $extest = $session->is_expired;

        [download]

        Again, obviously, with different DB credentials. As we always add session parameters, we seem to be able to rely on the session being empty to know the session expired, but we have never been able to get a correct value from is_expired once a session has actually expired. It always returns false to us, when we use it in an actual CGI script. Why?

        Thanks.

        Ted

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom