[ic] Extra sessions created, session id truncated PATCH

Angus Rogerson arogerso at uwaterloo.ca
Wed Dec 4 00:12:28 UTC 2013


I have come across some problems in the creation of session ids. On the demo store:
- remove the demo.icdevgroup.org MV_SESSION_ID cookie in your browser
- go to the catalog index page http://demo.icdevgroup.org/i/demo4/index.html
- observe that a cookie has been set for demo.icdevgroup.org MV_SESSION_ID (ex: 4wZTiDBk:
- click on the 'home' link to reload the page (http://demo.icdevgroup.org/i/demo4/index.html?bread_reset=1&id=4wZTiDBk)
- note that the cookie has been changed with a new session id, and truncated ip address (ex: EtNhFSXf:173)

Based on the behaviour I have seen on my system, both of the changes of the session id occur only on the first time through ... and in some special cases peculiar to my setup ... so it will have little impact for most people, except that extra session files will be created. However, I have attached a patch for anyone who may find this to be a problem.

The truncation problem is solved by removing the 'not greedy ?' from the regex which parses the MV_SESSION_ID cookie.

> 1298c1298,1299
> < 	elsif (defined $CGI::cookie and $CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})[:_]([-\@.:A-Za-z0-9]+?)\b/) {
> ---
> > 	# 2013-11-29 AxR Remove '?' from regex so matches whole IP 4 address
> > 	elsif (defined $CGI::cookie and $CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})[:_]([-\@.:A-Za-z0-9]+)\b/) {

In the original, the '+?' tells perl to "Match 1 or more times, not greedily"  (perlre - Quantifiers), so it saves the first '.' character to match the word boundary (\b). Changing it from '+?' to '+' allows perl to be greedy and take in the whole IP address and use the end of the string to match the \b.

Hmmm. I suppose there could be configurations for CGI with different values for CGI::host, CGI::user where the portion of the cookie after the ':' could be some other word, followed by more stuff. Maybe something like "aaaaaaaa:myuser (". In that case some other re could be needed: perhaps replace the \b with ^[-\@.:A-Za-z0-9].

In any case, this fix works for my setup, and I think it should work for the demo store and similar settings.

The extra new session id is solved by comparing the code for the CookieName, CookiePattern match
> 1292:         elsif ($::Instance->{CookieName} and defined $CGI::cookie) {

and the standard MV_SESSION_ID match
> 1299:        elsif (defined $CGI::cookie and $CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})[:_]([-\@.:A-Za-z0-9]+)\b/) {

and digging through Vend::Session and Vend::Dispatch.

$::Instance->{ExternalCookie} seems to mean that a cookie was generated by an external programme. This is not what is happening here.

When $seed is set, interchange does not create a new session. Somehow creating the second session on the second load of pages/index.html sets the $seed. So, setting the seed the first time through stops interchange from creating an extra new session:
> 1312c1313,1315
> < 	      $sessionid = $id;
> ---
> > 	      # 2013-12-03 AxR Set seed so we do not keep making new sessions
> > 	      $seed = $sessionid = $id;

I hope that helps someone.


Angus Rogerson, BMath, BScN, RN

Duct Tape Programmer
University of Waterloo | Retail Services | Information Systems

Visit Us Online & Right On Campus www.retailservices.uwaterloo.ca

-------------- next part --------------
A non-text attachment was scrubbed...
Name: VendDispatchRegexSeedPatch
Type: application/octet-stream
Size: 1166 bytes
Desc: not available
URL: <http://www.icdevgroup.org/pipermail/interchange-users/attachments/20131203/7ea6c5b4/attachment.obj>
-------------- next part --------------

More information about the interchange-users mailing list