Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cookie "plack_session" set twice when using session "PSGI" #1227

Open
nicolasfranck opened this issue Oct 24, 2020 · 1 comment
Open

cookie "plack_session" set twice when using session "PSGI" #1227

nicolasfranck opened this issue Oct 24, 2020 · 1 comment

Comments

@nicolasfranck
Copy link

I noticed the following weird behaviour when using Dancer in combination with
Plack::Middleware::Session.

Imaging this simple app with files:

config.yml:

session: "PSGI"
log: "debug"
logger: "console"
warnings: 1
show_errors: 1
route_cache: 0

app.pl:

#!/usr/bin/env perl
use strict;
use Dancer;
use Plack::Builder;
use Plack::Session::State::Cookie;

get "/" => sub {
    content_type "text/plain";
    #when session is not used, dancer won't write the cookie plack_session
    session( flag => "true");
    "ok";
};

my $app = sub {
  Dancer->dance(Dancer::Request->new(env => $_[0]));
};

builder {
    enable "Session",
        state => Plack::Session::State::Cookie->new(
            path => "/",
            httponly => 1,
            samesite => "Strict"
        ),
        store => "File";
    $app;
};

Start the app:

plackup app.pl

Now call this command:

$ curl --ipv4 -v "http://localhost:5000/"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5000 (#0)
> GET / HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.54.0
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Sat, 24 Oct 2020 11:51:26 GMT
< Server: HTTP::Server::PSGI
< Server: Perl Dancer 1.3513
< Content-Length: 2
< Content-Type: text/plain
< Set-Cookie: plack_session=591691120650231880599938160068176594; path=/; HttpOnly
< X-Powered-By: Perl Dancer 1.3513
< Set-Cookie: plack_session=a91cf7ff9af6f744cc2461df9f82cbf4279036ce; path=/; SameSite=Strict; HttpOnly
< 
* Closing connection 0

What is weird: the cookie "plack_session" is repeated, once with the default settings, and once with the settings
from the Plack middleware.

I looked around in the code, and it saw that Dancer::Response::add_cookie is called from Dancer::Cookies
with arguments plack_session and a Dancer::Cookie object. That explains the first cookie. The second
cookie is explained by the plack middleware. So Dancer still tries to write the session cookie, even though
the configuration forbids it?

I do not know how the browser and/or the server deal with this situation (only use the last cookie with that name?),
but when the cookie flag should be "secure", it should be secure, and not repeating the same value in another
cookie..

Any idea?

@nicolasfranck
Copy link
Author

a quick "fix" could be to write a second Dancer::Session::PSGI2, that overrides the method write_session_id
from Dancer::Session::Abstract, but the code clearly states that those lines should not be overwritten (although
this code works..).

package Dancer::Session::PSGI2;
use strict;
use warnings;
use base "Dancer::Session::PSGI";

#overwrite write_session_id from Dancer::Session::Abstract that causes the duplicated cookie plack_session
sub write_session_id {}

1;

and set session: PSGI2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant