问题
When I tried this:
while (my $cgi = new CGI::Fast) {
...
my $session = CGI::Session->new(undef, $cgi);
...
}
I discovered that different clients were getting the same session! What would be causing this bizarre session-sharing?
EDIT: I can't reproduce this reliably but in my testing, I have seen cases where I delete the session cookie from the browser, refresh the page, and (using Firebug's Net pane) see that I'm not sending a cookie in the request but get a Set-Cookie in the response with an old session ID! Perhaps something is sticking in memory due to using FastCGI?
(Note: I removed a 2nd piece of code from an earlier version of this question because I'm no longer sure it's relevant)
EDIT: This http://osdir.com/ml/web.fastcgi.devel/2004-02/msg00007.html seems to be describing the behavior I'm seeing
EDIT: As mentioned in the above osdir.com posting, FCGI.pm contains this code:
for (keys %FCGI::ENV) {
$ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
}
This seems quite clearly flawed to my eyes. It is copying from a persistent copy of environment variables into the copy of the environment visible to the script whenever the current request does not supply a value for a given variable. So if a request comes in with no cookies, then it won't find HTTP_COOKIE defined so it will give the script the cookies from the last request that sent them, meaning some other session! I don't get how this code could possibly be correct, and this is a very highly used module!
回答1:
I fixed this bug about seven months ago, you need to upgrade CGI.pm to >= 3.56. CGI::Fast was using an FCGI API that was deprecated and removed from documentation more than ten years ago.
回答2:
Are you using mod_perl? If so, global variables will persist across requests, and this will be intermittent because it will depend on whether the request is handled by the same apache httpd process or not, which will depend on site load and other variables.
来源:https://stackoverflow.com/questions/6013354/cgisession-sharing-sessions-between-clients