[Dancer-users] Cookies handling is broken

Alexis Sukrieh sukria at sukria.net
Mon Feb 28 12:32:59 CET 2011


Hi again,

A co-worker of mine started using Dancer to built an URL-shortener with 
unique-click stats.

     http://susbck.com/

To do so he uses multiple cookies to flag each visitors, and he came to 
realize that Dancer's cookie handling is ... well, completely broken :/

The most important thing we do wrong is to use one single Set-Cookie 
header (this is a recent change). Indeed, even if the HTTP specs tells 
us to do so, most browsers fail at parsing one Set-Cookie header with 
multiple values.
Apparently it's way better to use multiple Set-Cookie headers (like 
Dancer used to do).

Moreover, in the current version, Dancer splits the Set-Cookie header in 
a rather stupid way (split /[,;]/) which leads to have a mess of values 
when cookies are set with options (like "expires", or "path").

I'm saying that to the list just to warn you that we should change the 
way Dancer handles cookies. Actually, I think we should rewrite it 
completely, maybe by looking at how CGI::Cookie works.

There already two issue reports written by my co-worker that explains 
what he came accross:

https://github.com/sukria/Dancer/issues#issue/356
https://github.com/sukria/Dancer/issues#issue/357

Any help is welcome ;)

I think this is our top-priority for the next release.

Regards,

-- 
Alexis Sukrieh


More information about the Dancer-users mailing list