Fix using Rack::Session::Cookie with coder: Rack::Session::Cookie::Base64::{JSON,Zip} #1667
Conversation
…se64::{JSON,Zip}
This is an issue because SessionId doesn't round trip through JSON.
However, it probably has the same security issue as before SessionId
was introduced.
It may be better to eliminate the session id completely for cookie
sessions, since there is no reason cookie sessions need an id (an
id is only needed for memcache/memory/database sessions).
Fixes rack#1666
|
We fundamentally have two different kinds of sessions - a session where all data is stored on the client, and a session where the client only stores an id and we have an internal database of session data. Do we model this correctly? Is this problem caused by modelling it incorrectly? |
|
I agree that this design is suboptimal. There should no reason to force use of a session id for cookie sessions. Roda's sessions plugin, which also uses cookies, does not use session ids. However, in terms of fixing #1666, this appears to me to be the simplest approach. We could drop the session id for cookie sessions, but I'm guessing people are using it even though it is not strictly needed. I'm not sure there is a security issue with session ids when using cookie sessions, since the session id isn't actually used, unlike for memcache/memory/database sessions. |
This is an issue because SessionId doesn't round trip through JSON.
However, it probably has the same security issue as before SessionId
was introduced.
It may be better to eliminate the session id completely for cookie
sessions, since there is no reason cookie sessions need an id (an
id is only needed for memcache/memory/database sessions).
Fixes #1666