new( DSN, SID, HASHREF )
Requires three arguments. First is the Data Source Name, second should be the session id to be initialized or an object which provides either of 'param()' or 'cookie()' mehods. If Data Source Name is undef, it will fall back to default values, which are "driver:File;serializer:Default;id:MD5".
If session id is missing, it will force the library to generate a new session id, which will be accessible through id()
method.
In CGI::Session version 4.48, this isn't correct. If SID is not defined (not passed or explicitly passed as undef) then module CGI is required and a new query object is created by calling CGI->new(). This session is then searched for a cookie or parameter that defines the session ID. If a session ID is found, then this session is loaded, even if it is an old session and even though the documentation says a "new" session will be generated.In fact this behaviour (bug, in my opinion) has been known since 2009: see Bug 44994
The current documentation for CGI::Session is different. It quite clearly indicates that CGI is used and that setting the second argument to 'new' does not necessarily ensure a new session. But I didn't see guidance on how to get a new session when required either - maybe it's there somewhere, I didn't look very hard. In case it's not there, or not easy to find, the following works:
To force a new session, it is necessary to ensure CGI cannot return a session ID or pass something other than undef as the second parameter to CGI::Session->new() - something that will not be loaded as a session. If the requested session cannot be loaded then an empty session will be returned.
For example, an empty string could be passed instead of undef.
CGI::Session->new(undef, '', HASHREF);
As suggested in the bug report. Or, any other value that is defined and will never match an actual session ID. I repfer:
CGI::Session->new(undef, 'FORCE NEW SESSION', HASHREF);
That makes it clear what is intended. Hopefully no future changes will break this: it is, after all, rather undocumented behaviour.
No comments:
Post a Comment