http://www.perlmonks.org?node_id=968660


in reply to Re^2: CGI::Session keeps re-using same session ID
in thread CGI::Session keeps re-using same session ID

I'm astonished at how difficult sessions are to get working, even for an experienced Perl programmer like me.

I'm not :) HTTP is complicated enough, and then you have to deal with implementation details of CGI.pm and CGI::Sessions.pm

CGI::Session->new will try to load a session first, and only create a new session if it fails to load one

The thing is, since in CGI protocol, cookies are retrieved via $ENV{HTTP_COOKIES}, if there is a cookie set, CGI::Session will always load an existing session, because CGI.pm (or CGI::Cookies.pm) will always read $ENV{HTTP_COOKIES}

Hopefully you have read Basic cookie management (May 01) by now,

but here is how you fix your program without changing the program flow,

you delete the session if you can load it, then you create a new one 

if ($action eq 'login') {
    
    $session = CGI::Session->load( "driver:File", undef,  $dsn_args );
    eval {
        $session->delete;
        $session->flush;
    };
    
    $session = CGI::Session->new( "driver:File", undef,  $dsn_args )
        or die CGI::Session->errstr;
    
}

[download]

Replies are listed 'Best First'.
Re^4: CGI::Session keeps re-using same session ID
by alain_desilets (Beadle) on May 04, 2012 at 18:42 UTC

    It worked! Thx a million!

    Is it me, or is the documentation for CGI::Session severely misleading? It clearly says:

    new( DSN, SID, HASHREF )

    Requires three arguments. First is the Data Source Name, second should be the session id to be initialized or an object which provides either of 'param()' or 'cookie()' mehods. If Data Source Name is undef, it will fall back to default values, which are "driver:File;serializer:Default;id:MD5".

    If session id is missing, ***it will force the library to generate a new session id***, which will be accessible through id() method.
    But obviously, it doesn't.
[reply]

      Is it me, or is the documentation for CGI::Session severely misleading?

      It's not just you, though at the moment, I can't judge if it is misleading

      The latest version, which is what I read, says http://search.cpan.org/~markstos/CGI-Session-4.48/lib/CGI/Session.pm#new%28%29

      If called without any arguments, $dsn defaults to driver:file;serializer:default;id:md5, $query||$sid defaults to CGI->new(), and \%dsn_args defaults to undef.

      That isn't strictly true as it defaults to CGI->new whenever the second argument is undef

      At the moment, I've no idea how that could be improved :) patches welcome

      However, you probably would not have run into this if you weren't implementing your own login logic error :) as "Basic cookie management " teaches , you set one cookie per browser ( brand-the-browser , associate sessionid with browser)

      Later, for login, you update some session data (username, login status )

      Later, for logout, you delete the entire session, and delete the cookie

      Or you could even, Later, for logout, keep the cookie (and session alive), but delete some session data (delete username, login status )...

[reply]

In Section Seekers of Perl Wisdom