>
> currently it sends the cookie every time, but (as gerald and i
> discussed privately) i have a feeling thats a modperl 1.24 issue.
>
> if you write to %udat after calling DeleteSession, then it creates the
> session in the database (or on disk, etc), but still deletes the
> cookie. if you do this, you probably deserve to leak sessions tho ;)
> (reading after deleting is fine)
>
Now delete, read after delete and write after delte should work. Also the
cookie resending logic is enhanced. Maybe this work also for you.
>
> my point was that it tries to create whatever session the browser asks
> for. imo, if the browser has a cookie for which no session exists, the
> browser should get given a new randomly generated session, just as if
> it had no existing cookie.
>
> if it wasn't for taint, it'd be a real security issue. consider what
> would happen using FileStore and a session id of "../../bin/httpd" (or
> some path that exists).
>
Ok, Embperl has relied on Apache::Session to validate session id, but actual
it doesn't do this correctly.
I have added a session id validation (if Apache::Session 1.53+ is installed,
it uses the validate method of the Generate class), if the session id is
invalid or the session id doesn't exists Embperl now generates a new id and
send a new cookie with this id.
I also have made a lot of enhancement to make test, to better test all these
situations, but this is not totaly finished yet, so a few of the tests in
the current CVS version fails, but Embperl seems to do the right thing.
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925151
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
