Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: Problems getting session management to work: is_expired seems to lie to me

by sundialsvc4 (Abbot)
on May 06, 2013 at 22:04 UTC ( #1032407=note: print w/ replies, xml ) Need Help??


in reply to Problems getting session management to work: is_expired seems to lie to me

Looking at the source-code of CGI::Session using the CPAN link, we can confirm that yes, the value of is_expired() is useful only after a load() call, since it is setting several bit-flags using the (alas, “thawed” and therefore not so easily readable) database data, viz:

# checking for expiration ticker if ( $self->{_DATA}->{_SESSION_ETIME} ) { if ( ($self->{_DATA}->{_SESSION_ATIME} + $self->{_DATA}->{_SES +SION_ETIME}) <= time() ) { $self->_set_status( STATUS_EXPIRED | # <-- so client ca +n detect expired sessions STATUS_DELETED ); # <-- session shou +ld be removed from database $self->flush(); # <-- flush() will + do the actual removal! return $self; } }

flush() is visibly a very-important call, responsible for creating, updating, and removing the underlying database record.

Now, we notice that this code is acting upon information that has been saved previously in the database, in the “frozen” blob of data ... if it is there!   But, as Corion probably already intuited, there is a very good chance that it isn’t.

The POD documentation says (in the second sentence of “a warning about auto-flushing,” that:   Explicit flushing after key session updates is recommended.   And this is precisely what I would now suggest that you do.   In the } else { part, after you have created the session, set its expiration-time and two parameters, flush() now.   Don’t just add a line at the end of the module and hope for the best.   As soon as you have made any changes that you want to be permanently fixed in the database, flush.   Do this as-needed in both the “session found“ and the “new session” cases, erring as-needed on the side of caution, and I suspect that your troubles will vanish.   (And if I’m right, Corion beat me to it.)


Comment on Re: Problems getting session management to work: is_expired seems to lie to me
Download Code
Re^2: Problems getting session management to work: is_expired seems to lie to me
by ted.byers (Scribe) on May 06, 2013 at 22:40 UTC

    Thanks, this is actually helpful, and leads to a couple other questions.

    The code where the session has been created has now been changed to:

    $session = CGI::Session->new('driver:mysql',$query,{ DataSource => +'dbi:mysql:profitorius', User => 'rejbyers', Password => 'Didr39Qcab' }); $session->expire("5m"); $session->param('qwerty',12345); $session->param('zxcvb',98765); $session->flush;

    That is the only place in my code where the session data is actually changed, except when load updates the time when the session will next expire, if not accessed before that time. Alas, this change did not change the behaviour I see, implying your first guess, and Corion's, is incorrect. I do, and have always, seen the session parameters I'd set when I accessed the page before the session timed out, so I know that that data had been stored, and thus I am not especially surprised that adding the fluch earlier in the call sequence didn't change anything.

    But, my first question to you, since you have gone through that code, is, "Is the code you quoted responsible for the fact that I see the session empty in the call to is_empty, as I had suspected all along (an expection that should also be inferable from the code you quoted)? Second, and more importantly, is there any chance that the lines that set the status to 'STATUS_DELETED', followed by a flush, could have unintentionally removed the 'STATUS_EXPIRED ' status (I am thinking maybe in the call to flush, but I haven't dug into the bowels of that code).

    Thanks

    Ted

      I did some digging of my own. Here is what I found.

      Function load begins:

      sub load { my $class = shift; return $class->set_error( "called as instance method") if ref $ +class; return $class->set_error( "Too many arguments provided to load()") + if @_ > 5; my $self = bless { _DATA => { _SESSION_ID => undef, _SESSION_CTIME => undef, _SESSION_ATIME => undef, _SESSION_REMOTE_ADDR => $ENV{REMOTE_ADDR} || "", # # Following two attributes may not exist in every single s +ession, and declaring # them now will force these to get serialized into databas +e, wasting space. But they # are here to remind the coder of their purpose # # _SESSION_ETIME => undef, # _SESSION_EXPIRE_LIST => {} }, # session data _DSN => {}, # parsed DSN params _OBJECTS => {}, # keeps necessary objects _DRIVER_ARGS=> {}, # arguments to be passed to driver _CLAIMED_ID => undef, # id **claimed** by client _STATUS => STATUS_UNSET,# status of the session object _QUERY => undef # query object }, $class;

      Here we see that _STATUS is part of _DATA. Then, a little further on in load, where it checks for whether or not the session has timed out, we have:

      # checking for expiration ticker if ( $self->{_DATA}->{_SESSION_ETIME} ) { if ( ($self->{_DATA}->{_SESSION_ATIME} + $self->{_DATA}->{_SES +SION_ETIME}) <= time() ) { $self->_set_status( STATUS_EXPIRED | # <-- so client ca +n detect expired sessions STATUS_DELETED ); # <-- session shou +ld be removed from database $self->flush(); # <-- flush() will + do the actual removal! return $self; } }

      Which, I believe you quoted. But then in flush, we have:

      sub flush { my $self = shift; # Would it be better to die or err if something very basic is wron +g here? # I'm trying to address the DESTROY related warning # from: http://rt.cpan.org/Ticket/Display.html?id=17541 # return unless defined $self; return unless $self->id; # <-- empty session # neither new, nor deleted nor modified return if !defined($self->{_STATUS}) or $self->{_STATUS} == STATUS +_UNSET; if ( $self->_test_status(STATUS_NEW) && $self->_test_status(STATUS +_DELETED) ) { $self->{_DATA} = {}; return $self->_unset_status(STATUS_NEW | STATUS_DELETED); } my $driver = $self->_driver(); my $serializer = $self->_serializer(); if ( $self->_test_status(STATUS_DELETED) ) { defined($driver->remove($self->id)) or return $self->set_error( "flush(): couldn't remove session + data: " . $driver->errstr ); $self->{_DATA} = {}; # <-- removing all + the data, making sure # it won't be acce +ssible after flush() return $self->_unset_status(STATUS_DELETED); } if ( $self->_test_status(STATUS_NEW | STATUS_MODIFIED) ) { my $datastr = $serializer->freeze( $self->dataref ); unless ( defined $datastr ) { return $self->set_error( "flush(): couldn't freeze data: " + . $serializer->errstr ); } defined( $driver->store($self->id, $datastr) ) or return $self->set_error( "flush(): couldn't store datastr: + " . $driver->errstr); $self->_unset_status(STATUS_NEW | STATUS_MODIFIED); } return 1; }

      In the block that begins with "if ( $self->_test_status(STATUS_DELETED) ) {", we have "$self->{_DATA} = {};". Doesn't this have the effect of blowing away the "STATUS_EXPIRED" status, resulting in a false value being returned by is_expired because it is checking against a member in the hash that does not exist after the flush when the status has been given a status of DELETED?

      Thanks

      Ted

        No, status isn't part of data, see _set_status

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1032407]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (8)
As of 2014-12-25 02:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (159 votes), past polls