[dancer-users] Erroneous session-cookie setting behaviour in Dancer2
Punter
punter at punter.gr
Sun Mar 3 22:42:47 GMT 2013
Furthermore, I just looked at my database logs and saw that a mere
read-access of a session is enough to trigger a writing of the session
data to the session store.
This is wrong, as well.
On 03/03/2013 07:44 PM, David Golden wrote:
> context->destroy_session
>
> There is a "bug" in the sense that sessions are instantiated as soon
> as you request them. So the mere fact that you check
> session("logged_in") or whatever creates a new session if none exists.
>
> This is issue #155 in github. Ideally sessions would only be
> instantiated when a value is set.
>
> David
>
> On Sun, Mar 3, 2013 at 11:49 AM, Punter <punter at punter.gr> wrote:
>> Plus there's no session->destroy method, so how can I log out a user
>> properly?
>>
>>
>>
>> On 03/03/2013 06:02 PM, Punter wrote:
>>>
>>> What if a website's ethical policy is that it doesn't track users after
>>> they've logged-out?
>>>
>>> How can it prove that to the users, if it installs a new cookie then?
>>>
>>>
>>> On 03/03/2013 05:55 PM, Rik Brown wrote:
>>>>
>>>> That sounds like it's working correctly. You got a new empty session and
>>>> a cookie for it. I don't think it's expected that you won't get a cookie
>>>> if your session is empty.
>>>>
>>>> Cheers,
>>>> Rik
>>>>
>>>> Sent from my phone.
>>>>
>>>> On 3 Mar 2013 15:53, "Punter" <punter at punter.gr
>>>> <mailto:punter at punter.gr>> wrote:
>>>>
>>>> Ok.
>>>>
>>>> I went to the Database and deleted the session for which I had a
>>>> cookie, and next time I loaded a page I got ANOTHER cookie, for a
>>>> new (empty) session.
>>>>
>>>> This, I believe, is a bug.
>>>>
>>>> On 03/03/2013 01:42 PM, David Precious wrote:
>>>>
>>>> On Sun, 03 Mar 2013 02:29:47 +0200
>>>> Punter <punter at punter.gr <mailto:punter at punter.gr>> wrote:
>>>>
>>>> Now whenever I do a page any view, I get a "this website
>>>> wants to set
>>>> a cookie" message
>>>>
>>>> It shouldn't be like that. If cookie values don't change,
>>>> then they
>>>> should only be set once.
>>>>
>>>>
>>>> Except that, if you don't send the Set-Cookie header again each
>>>> time,
>>>> the cookie's expiration can't be updated - most people want a
>>>> session
>>>> expiry to be extended with each request, so it times out the
>>>> right
>>>> amount of time after the last request, rather than the last time
>>>> the
>>>> session data was updated.
>>>>
>>>> I think this is quite common and correct behaviour.
>>>>
>>>>
>>>> _________________________________________________
>>>> dancer-users mailing list
>>>> dancer-users at dancer.pm <mailto:dancer-users at dancer.pm>
>>>> http://lists.preshweb.co.uk/__mailman/listinfo/dancer-users
>>>> <http://lists.preshweb.co.uk/mailman/listinfo/dancer-users>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> dancer-users mailing list
>>>> dancer-users at dancer.pm
>>>> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
>>>>
>>
>> _______________________________________________
>> dancer-users mailing list
>> dancer-users at dancer.pm
>> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
>
>
>
More information about the dancer-users
mailing list