boboson has asked for the wisdom of the Perl Monks concerning the following question:

I am using
CGI::Application;
CGI::Application::Plugin::Session;

for my session handling of my community. However, sometimes I experience a strange bug.

I open up a browser window (window1) and browse to my community webpage without logging in. Then I open a another browser window (window2). I log into my community account in window(2). I go to a section of my community that you need to be logged in to be able to access. I cut the URL which is something like
"http://www.xxxxxx.com/index.cgi?rm=member_info"
and paste it into browser window1. Voila, I am logged into my community in window1 without logging in, this is not my intended behaviour.

The code:
I have a baseclass which in its cgiapp_init class initialize my session with default values.

my $session = $self->session;

[download]
It seems like I receive the same sessionID?

I can log in multiple users at the same time from the same computer.
Anybody have a clue?

Replies are listed 'Best First'.
Re: multiple browserwindows session bug
by Joost (Canon) on Jun 11, 2006 at 22:45 UTC
    I believe older versions of MS internet explorer did not share session cookies over multiple windows (I think it depended on how the windows were opened). In other words, the different windows sometimes behaved as completely separate browsers.

    I don't think any current browser acts that way - session cookies are usually shared by all windows. In other words, what you are seeing is expected behaviour and you probably shouldn't try to work around it.

    "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]
      The real problem with this behaviour is when you register several accounts on the same computer and there are activation emails sent to new members. When you click the link in the activation email you get to my community page and instead of activating the account, you are logged in as another just created user.

      This is not likely to happen to an everyday member of my site, but it happens to me while testing and to the site owners when they preregister members.

[reply]
[reply]
        Do you understand that this only happens with multiple windows of the same running browser? If different users each log in to the computer and run a browser, they are not sharing the same one. If a user logs in and never logs out, and someone else shares that same account on the same computer, then of course the session on your site will remain in effect. All that you do about that is use a short inactivity period on your sessions.
[reply]
Re: multiple browserwindows session bug
by Arunbear (Prior) on Jun 11, 2006 at 22:52 UTC
    I don't think this behaviour is a problem, but it is inevitable if you use cookies to store the session id. So if you really must avoid this behaviour, pass the session id in urls instead of cookies.

    As a start, in your cgiapp_init you would need to avoid sending cookies: 

     $self->session_config(
          CGI_SESSION_OPTIONS => [ 
           # whatever
          ], 
          SEND_COOKIE         => 0, # defualt is 1
 );

    [download]
    Next you'll have to arrange for all your urls to contain the session id (and you will learn much while contemplating how to do that).
[reply]
[d/l]
      That has always been my backup plan for users that don't accept cookies. I use cookies but I also add the sessionID to the URL if the browser doesn't accept cookies.
      Is appending the sessionID alone a prefered way of doing this? If a user accepts cookies, why not use that?
[reply]

Back to Seekers of Perl Wisdom