I am not using 2 cookies, but I think the problem is related on how the
application is sending the cookies.
I thought it is an IE bug, but now I am not so sure anymore, because I have
made some more tests:
I have set the session to expire after 1 minute, and the cookie expiration
time to 0 (to be a session cookie).
In this case, no cookie should be saved on the hard disk of my client
computer, but kept only in memory.
If I click a link after 1 minute with no activity on the site, I can see
that the server is sending a cookie that has an expiry time, even though
I've set it to be a session cookie. It sets the expiry time to the present
time, so it shouldn't be sent back to the server by the browser.
However, the time of the server and the time of the client computer don't
match always.
So if I tried to login again immediately after I've seen that I am logged
out, the browser sends the cookie to the server.
Now I don't know what is Catalyst doing exactly.
I think it should see that there is a session that corresponds to that
cookie, and also see that that session has expired, and it should delete the
session and create a new one. But the application just don't allow access,
even though the login was successfully. It doesn't create the $c->user
object, so the login form is presented to the user.
If I let more than 1 minute to pass and I don't try to login, I am able to
login.
So I don't know how the session storage works, or better said, how the
session files are deleted.
I think that they are deleted (or re-created) only after 1 or 2 minutes, and
not immediately they are expired.
This is what I found, but I don't know for sure what is the reasons of
happening this way.
I am using:
Session
Session::State::Cookie
Session::Store::File
Authentication
Authentication::Store::DBIC
Authentication::Credential::Password
Authorization::Roles
Of course, if I delete the cookie before trying to login, the browser
doesn't send it anymore, and the login goes fine.
Do you have any idea why the cookie is sent by the application with an
expiry date instead of sending a session cookie without it?
Octavian
----- Original Message -----
From: "Michael Alan Dorman" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, March 01, 2007 2:11 PM
Subject: Re: [Catalyst] Session problems with IE and cookies
On Wed, 28 Feb 2007 15:31:39 +0200
"Octavian Rasnita" <[EMAIL PROTECTED]> wrote:
I have created a site using Catalyst, and I access it with IE, but I
can login with no issues.
However, 2 customers told me that they can login on the site from one
location, but they cannot do it from their work place.
I don't know, but it might be the same bug, since after the login,
the program is making an external redirection, and the cookies are
used...
Anyway, if somebody will find what's the problem, please write on the
list.
I have seen this problem. I finally fixed it for my application late
last year, after an embarrassingly long time. In my application the
sequence of events was:
* user goes to main site, foo.org
* user is issued a cookie, from foo.org
* user submits form, is redirected to bar.foo.org
* user is issued another cookie, from bar.foo.org
* IE begins sending both cookies to bar.foo.org.
Depending on which cookie appears last, one or the other will be
"active"; if it's the one from foo.org instead of bar.foo.org,
typically you lose, because the session ID isn't known to bar.foo.org.
I thought I was giving the right domain= values to make sure that
didn't happen; I can't tell if the problem stems from me being too
stupid to read the cookie spec right, or the IE team. It's not a spec
that, in my opinion, is without some ambiguity.
Anyway, the situation appeared intermittently for years. I finally got
a trace from a single client on all hosts involved that let me see where
the "mystery key" that was confusing bar.foo.org originated.
The solution I eventually adopted was to also delete the session cookie
for foo.org at the same time as I did the external redirect to
bar.foo.org. I haven't heard of the issue popping up again since.
Mike.
_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
