newperldeveloper has asked for the wisdom of the Perl Monks concerning the following question:

I have two applications one to view the data and an old application(cgi) that is downloading the data. After upgrading the mojolicious to version 9.30 the cgi application uses the following code. 
builder {
   enable 'Session', store => Plack::Session::Store::File::Mojolicious
+->new($ENV{directory} ? (dir => $ENV{directory}) : ()), state => Plac
+k::Session::State::Cookie::Mojolicious->new(secure => 1, session_key 
+=> 'download_app');
   $app;
};

[download]
After the upgrade i am getting the following error message in the log Cookie "download_app" is not signed. After adding secret=>'my secret' I am still getting the same error. I am taking over for someone and I believe the code is acting as a wrapper for mojolicious that lets you login to the viewing app code. Downgrading Mojolicious removes the error. And if i login to cgi app i have access to the viewing app and vice versa.

Replies are listed 'Best First'.
Re: Cookie not signed after upgrading mojolicious
by Corion (Patriarch) on Jul 21, 2021 at 11:15 UTC

    I don't see a Mojolicious 9.30, but the Changes file mentions:

    Swiched from HMAC-SHA1 to HMAC-SHA256 for signed cookies. Note that this means that all sessions will be reset.

    To me, this means this is expected behaviour. I don't know if/how you can migrate the signed cookies from the old version to the new version automatically. I guess you would need to have two code paths. One that receives and validates the HMAC-SHA256 cookies, and one that gets taken when the SHA256 validation fails (maybe copied from the old Mojolicious distribution), that validates against the old HMAC-SHA1, and does an upgrade.

[reply]
      Didn't see this information, I didn't see that information. Is there a way to have plack switch to signing with HMAC-SHA256.
[reply]

        Plack itself doesn't handle sessions, and I don't find Plack::Session::Store::File::Mojolicious on CPAN (neither does Google find it elsewhere), so I don't know what you would need to do to make it sign the cookies using HMAC-SHA256. Maybe that file is just the Mojolicious code for cookie signing copied into the Plack API and you can also just copy the (new) Mojolicious code into that.

[reply]

Back to Seekers of Perl Wisdom