moseley at hank
Jun 6, 2009, 3:57 PM
Views: 401
Permalink
|
I was looking over the session code and noticed this:
sub session {
my $c = shift;
$c->_session || $c->_load_session || do {
$c->create_session_id_if_needed;
$c->initialize_session_data;
};
}
My concern is the use of create_session_id_if_needed().
If it can't fetch the session then, it would appear, that it creates
a new session using the *user provided* session id.
In other words, it provides a way for users to generate their own
session ids as long as it passes the validate_session_id method,
which doesn't take much.
I would think that if a passed in session id is not valid then
a newly created session must have a key generated by the application
and not use one passed in by the user. From the looks of the code
it would seem like someone could create a session with an id of "1",
for example.
My question is can anyone see why not just do this:
sub session {
my $c = shift;
$c->_session || $c->_load_session || do {
$c->create_session_id;
$c->initialize_session_data;
};
}
In order to load the session it needs the session id by calling
_load_sessionid. When it does that it stores the session id if it's
"valid".
In _load_sessionid:
if ( defined( my $sid = $c->get_session_id ) ) {
if ( $c->validate_session_id($sid) ) {
# temporarily set the inner key, so that validation will work
warn "setting _sessionid($sid)\n";
$c->_sessionid($sid);
return $sid;
} ...
Which sets the session id as long as it passes:
sub validate_session_id {
my ( $c, $sid ) = @_;
$sid and $sid =~ /^[a-f\d]+$/i;
}
--
Bill Moseley
moseley[at]hank.org
Sent from my iMutt
_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
|
Session id creation
