You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#!/usr/bin/env perl
use strict;
use Dancer;
use Plack::Builder;
use Plack::Session::State::Cookie;
get "/" => sub {
content_type "text/plain";
#when session is not used, dancer won't write the cookie plack_session
session( flag => "true");
"ok";
};
my $app = sub {
Dancer->dance(Dancer::Request->new(env => $_[0]));
};
builder {
enable "Session",
state => Plack::Session::State::Cookie->new(
path => "/",
httponly => 1,
samesite => "Strict"
),
store => "File";
$app;
};
Start the app:
plackup app.pl
Now call this command:
$ curl --ipv4 -v "http://localhost:5000/"
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5000 (#0)
> GET / HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.54.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Sat, 24 Oct 2020 11:51:26 GMT
< Server: HTTP::Server::PSGI
< Server: Perl Dancer 1.3513
< Content-Length: 2
< Content-Type: text/plain
< Set-Cookie: plack_session=591691120650231880599938160068176594; path=/; HttpOnly
< X-Powered-By: Perl Dancer 1.3513
< Set-Cookie: plack_session=a91cf7ff9af6f744cc2461df9f82cbf4279036ce; path=/; SameSite=Strict; HttpOnly
<
* Closing connection 0
What is weird: the cookie "plack_session" is repeated, once with the default settings, and once with the settings
from the Plack middleware.
I looked around in the code, and it saw that Dancer::Response::add_cookie is called from Dancer::Cookies
with arguments plack_session and a Dancer::Cookie object. That explains the first cookie. The second
cookie is explained by the plack middleware. So Dancer still tries to write the session cookie, even though
the configuration forbids it?
I do not know how the browser and/or the server deal with this situation (only use the last cookie with that name?),
but when the cookie flag should be "secure", it should be secure, and not repeating the same value in another
cookie..
Any idea?
The text was updated successfully, but these errors were encountered:
a quick "fix" could be to write a second Dancer::Session::PSGI2, that overrides the method write_session_id
from Dancer::Session::Abstract, but the code clearly states that those lines should not be overwritten (although
this code works..).
package Dancer::Session::PSGI2;
use strict;
use warnings;
use base "Dancer::Session::PSGI";
#overwrite write_session_id from Dancer::Session::Abstract that causes the duplicated cookie plack_session
sub write_session_id {}
1;
I noticed the following weird behaviour when using Dancer in combination with
Plack::Middleware::Session
.Imaging this simple app with files:
config.yml
:app.pl
:Start the app:
Now call this command:
What is weird: the cookie "plack_session" is repeated, once with the default settings, and once with the settings
from the Plack middleware.
I looked around in the code, and it saw that
Dancer::Response::add_cookie
is called fromDancer::Cookies
with arguments
plack_session
and aDancer::Cookie
object. That explains the first cookie. The secondcookie is explained by the plack middleware. So Dancer still tries to write the session cookie, even though
the configuration forbids it?
I do not know how the browser and/or the server deal with this situation (only use the last cookie with that name?),
but when the cookie flag should be "secure", it should be secure, and not repeating the same value in another
cookie..
Any idea?
The text was updated successfully, but these errors were encountered: