[cgiapp] Sessions leaking with FastCGI

Thu Jun 16 21:26:03 EDT 2011

Hi Victor

Looks like no-one replied via the list.

I'll take a guess, but I don't use FastCGI.

More below.

On Thu, 2011-06-16 at 18:50 -0500, Victor Bruno wrote:
> I have a webapp in cgiapp (Titanium) that I I recently made persistent with
> fastcgi.   I am hearing sporadic user reports of sessions "leaking" to the
> wrong clients.  A user will login and get presented with the homepage of a
> different user who is currently logged in and has a live session.  I have
> been taking stabs at what could be causing it and deploying possible fixes,
> only to get another report of it happening again.  This problem only cropped
> up when I moved to fastcgi. Users are all coming from different IP's so I am
> not sure how the CAP:Session could get them mixed up.

Possibilities:

o The bug was there all along, but moving to FastCGI exposed it

o The bug is in FastCGI

o The bug is in your new code which handles FastCGI

> I am having a hard time tracking this down. I am using CA:Dispatch,
> CAP:Session.

I don't believe this bug is in those modules.

> My dispatch script looks like this, so I should be getting a fresh CGI query
> object on every call with the my $cgi = CGI::Fast -> new(), right?

I assume so, yes.

> use lib 'lib';
> 
> use strict;
> 
>  
> 
> use CGI::Application::Dispatch;
> 
> use CGI::Fast;
> 
> use FCGI::ProcManager;  
> 
>  
> 
> my($proc_manager) = FCGI::ProcManager -> new({n_processes => 10});
> 
> $proc_manager -> pm_manage();
> 
>  
> 
> while (my $cgi = CGI::Fast -> new() )
> 
> {
> 
>     $proc_manager -> pm_pre_dispatch();
> 
>  
> 
>     CGI::Application::Dispatch->dispatch(
> 
>     args_to_new => {QUERY => $cgi, PARAMS => { cfg_file => 'myApp.cfg'} },
> 
>     table   => ['logout'                                                => {
> prefix => '', app => 'myApp', rm => 'logout' },
> 
>                 ':inst/:app/:rm/:id1?/:id2?/:id3?/:id4?'        => { prefix
> => 'myApp::Controller' },
> 
>     ],
> 
>     );
> 
>  
> 
>     $proc_manager -> pm_post_dispatch();
> 
> }
> 
>  
> 
> Also, I am wondering about my call to session_config.  I still have that in
> cgiapp_init - does that need to move to prerun in a persistent environment?
> I did add a $self->session->flush() to my postrun.  Are there other things
> that needs to be done differently under fastcgi with CAP Session or Dispatch
> or CGI::Fast?

I don't think moving it would make any difference. I always
cgiapp_prerun myself.

-- 
Ron Savage
http://savage.net.au/
Ph: 0421 920 622