Hi again, A co-worker of mine started using Dancer to built an URL-shortener with unique-click stats. http://susbck.com/ To do so he uses multiple cookies to flag each visitors, and he came to realize that Dancer's cookie handling is ... well, completely broken :/ The most important thing we do wrong is to use one single Set-Cookie header (this is a recent change). Indeed, even if the HTTP specs tells us to do so, most browsers fail at parsing one Set-Cookie header with multiple values. Apparently it's way better to use multiple Set-Cookie headers (like Dancer used to do). Moreover, in the current version, Dancer splits the Set-Cookie header in a rather stupid way (split /[,;]/) which leads to have a mess of values when cookies are set with options (like "expires", or "path"). I'm saying that to the list just to warn you that we should change the way Dancer handles cookies. Actually, I think we should rewrite it completely, maybe by looking at how CGI::Cookie works. There already two issue reports written by my co-worker that explains what he came accross: https://github.com/sukria/Dancer/issues#issue/356 https://github.com/sukria/Dancer/issues#issue/357 Any help is welcome ;) I think this is our top-priority for the next release. Regards, -- Alexis Sukrieh
To do so he uses multiple cookies to flag each visitors, and he came to realize that Dancer's cookie handling is ... well, completely broken :/
I did have a similar problem in my Brocco[1] blog engine, and so far I've "fixed" it in my app(s) with the following ugly workaround: ## Fix cookies before sub { my $c = cookies; delete $c->{$_} for grep $_ ne 'dancer.session', keys %$c; }; I am aware the above is not a fix _for Dancer_, but it allows _applications_ which may "receive" tracking cookies to _work_ if they use a Dancer::Session::* and they only care about the "dancer.session" cookie. If the app needs to use more than one cookie, the above does not seem to be a solution, unfortunately. -marco- [1]: https://github.com/mfontani/Brocco ---- Marco Fontani Glasgow Perl Mongers - http://glasgow.pm.org/ Join the RackSpace Cloud at: http://www.rackspacecloud.com/277.html
Hi, I'm new to this project, so I have made susbck.com a shorten url system. I have need cookies for detecting uniq click and well I have lighting up the thing that cookie doesn't work at all. I know the spec say we can set multiple cookie at one by sending Set-Cookie with value separated by coma. But all navigator doesn't support it. I have test it on "Firefox, Firefox 4, Safari iPad / iPhone, Chrome and IE". CGI::Cookie use multiple lines with HTTP::Headers, something like this : $headers->push_header('Set-Cookie', 'key=value, expire, domain'). So if they is many cookie to be sent at once, header look like : Set-Cookie: a=1 Set-Cookie: b=2 ... One line per cookie to change. All navigator support it perfectly like this. Another point, on FreeBSD the cookie test failed on the current cpan_version "1.3011". In fact, the has_changed sent back the last cookie I sent from the navigator. The comparaison is a value version an array. I think it could be better to change the way the has_changed work. When we call "set_cookie", we could add the an hash the cookie we want to sent back. And so the has_changed check the key on the hash and just tell ok. It's faster and more secure. if the cookie contain array or hash, it could be really more easy. So I have made a patch on my fork to make it work with multiple line, but the test unit (old style) doesn't work anymore. And the test on cookie has to be rewrite using new style test with Dancer::Test to prevent same header on multiple call to be pass from one test to another. I will add a pod for NGINX + Plackup + PERLBREW, I have set this up for my project, and the advent.perldancer doesn't work as it should be. All static file is sent by plackup instead of nginx. Here my repos to check the change : https://github.com/geistteufel/Dancer It sent one cookie per header line, and I have added push_header function. The bad thing is that "has_changed" tell that all cookies has changed, so it sent it back. We need a test for this.
Date: Mon, 28 Feb 2011 11:42:54 +0000 From: mfontani@cpan.org To: sukria@sukria.net CC: dancer-users@perldancer.org Subject: Re: [Dancer-users] Cookies handling is broken
To do so he uses multiple cookies to flag each visitors, and he came to realize that Dancer's cookie handling is ... well, completely broken :/
I did have a similar problem in my Brocco[1] blog engine, and so far I've "fixed" it in my app(s) with the following ugly workaround:
## Fix cookies before sub { my $c = cookies; delete $c->{$_} for grep $_ ne 'dancer.session', keys %$c; };
I am aware the above is not a fix _for Dancer_, but it allows _applications_ which may "receive" tracking cookies to _work_ if they use a Dancer::Session::* and they only care about the "dancer.session" cookie.
If the app needs to use more than one cookie, the above does not seem to be a solution, unfortunately.
-marco-
[1]: https://github.com/mfontani/Brocco
---- Marco Fontani Glasgow Perl Mongers - http://glasgow.pm.org/ Join the RackSpace Cloud at: http://www.rackspacecloud.com/277.html _______________________________________________ Dancer-users mailing list Dancer-users@perldancer.org http://www.backup-manager.org/cgi-bin/listinfo/dancer-users
I have made a pull request which should fix all cookie issues. Fill free to review and comment ! From: geistteufel@yahoo.fr To: dancer-users@perldancer.org Date: Mon, 28 Feb 2011 14:41:00 +0100 Subject: Re: [Dancer-users] Cookies handling is broken Hi, I'm new to this project, so I have made susbck.com a shorten url system. I have need cookies for detecting uniq click and well I have lighting up the thing that cookie doesn't work at all. I know the spec say we can set multiple cookie at one by sending Set-Cookie with value separated by coma. But all navigator doesn't support it. I have test it on "Firefox, Firefox 4, Safari iPad / iPhone, Chrome and IE". CGI::Cookie use multiple lines with HTTP::Headers, something like this : $headers->push_header('Set-Cookie', 'key=value, expire, domain'). So if they is many cookie to be sent at once, header look like : Set-Cookie: a=1 Set-Cookie: b=2 ... One line per cookie to change. All navigator support it perfectly like this. Another point, on FreeBSD the cookie test failed on the current cpan_version "1.3011". In fact, the has_changed sent back the last cookie I sent from the navigator. The comparaison is a value version an array. I think it could be better to change the way the has_changed work. When we call "set_cookie", we could add the an hash the cookie we want to sent back. And so the has_changed check the key on the hash and just tell ok. It's faster and more secure. if the cookie contain array or hash, it could be really more easy. So I have made a patch on my fork to make it work with multiple line, but the test unit (old style) doesn't work anymore. And the test on cookie has to be rewrite using new style test with Dancer::Test to prevent same header on multiple call to be pass from one test to another. I will add a pod for NGINX + Plackup + PERLBREW, I have set this up for my project, and the advent.perldancer doesn't work as it should be. All static file is sent by plackup instead of nginx. Here my repos to check the change : https://github.com/geistteufel/Dancer It sent one cookie per header line, and I have added push_header function. The bad thing is that "has_changed" tell that all cookies has changed, so it sent it back. We need a test for this.
Date: Mon, 28 Feb 2011 11:42:54 +0000 From: mfontani@cpan.org To: sukria@sukria.net CC: dancer-users@perldancer.org Subject: Re: [Dancer-users] Cookies handling is broken
To do so he uses multiple cookies to flag each visitors, and he came to realize that Dancer's cookie handling is ... well, completely broken :/
I did have a similar problem in my Brocco[1] blog engine, and so far I've "fixed" it in my app(s) with the following ugly workaround:
## Fix cookies before sub { my $c = cookies; delete $c->{$_} for grep $_ ne 'dancer.session', keys %$c; };
I am aware the above is not a fix _for Dancer_, but it allows _applications_ which may "receive" tracking cookies to _work_ if they use a Dancer::Session::* and they only care about the "dancer.session" cookie.
If the app needs to use more than one cookie, the above does not seem to be a solution, unfortunately.
-marco-
[1]: https://github.com/mfontani/Brocco
---- Marco Fontani Glasgow Perl Mongers - http://glasgow.pm.org/ Join the RackSpace Cloud at: http://www.rackspacecloud.com/277.html _______________________________________________ Dancer-users mailing list Dancer-users@perldancer.org http://www.backup-manager.org/cgi-bin/listinfo/dancer-users
_______________________________________________ Dancer-users mailing list Dancer-users@perldancer.org http://www.backup-manager.org/cgi-bin/listinfo/dancer-users
participants (3)
-
Alexis Sukrieh -
Marco Fontani -
Vincent Bachelier