Re^2: Security: Dancer Session cookie swap

Replies are listed 'Best First'.
Re^3: Security: Dancer Session cookie swap by Your Mother (Archbishop) on Jun 11, 2014 at 15:49 UTC
That test actually does do what I would expect to find the bug if it were there. So, nice find. The report here, however, is from rare cases of swapping so it might be a highly intermittent problem that's hard to trigger or requires a fatal at a different point in the request cycle or one related to a specific server implementation. I provided an example not too long ago of a naīve test that would appear to be right but miss intermittent bugs: Re: why Test::More?. That session stealing test ought to be run in parallel with 10 agents, stutter-timed, for hundreds of requests to feel "bomb-proof" to me because that's closer to what can happen in the wild. My point was it's not a good idea to have a persistent/cache without having it initialized in a known state at the top of all request cycles, as the other two persistent/cache $VARS wisely are.	[reply]

Replies are listed 'Best First'.

Re^3: Security: Dancer Session cookie swap
by Your Mother (Archbishop) on Jun 11, 2014 at 15:49 UTC

That test actually does do what I would expect to find the bug if it were there. So, nice find. The report here, however, is from rare cases of swapping so it might be a highly intermittent problem that's hard to trigger or requires a fatal at a different point in the request cycle or one related to a specific server implementation. I provided an example not too long ago of a naīve test that would appear to be right but miss intermittent bugs: Re: why Test::More?. That session stealing test ought to be run in parallel with 10 agents, stutter-timed, for hundreds of requests to feel "bomb-proof" to me because that's closer to what can happen in the wild.

My point was it's not a good idea to have a persistent/cache without having it initialized in a known state at the top of all request cycles, as the other two persistent/cache $VARS wisely are.

[reply]