When I tried this:
while (my $cgi = new CGI::Fast) { ... my $session = CGI::Session->new(undef, $cgi); ... }
I found that different clients were getting the same session! What could cause this weird exchange?
EDIT: I cannot reproduce this reliably, but in my testing I saw cases where I delete the session cookie from the browser, refresh the page and (using the Firebug Net panel) that I do not send the cookie in the request, but get a Set-Cookie in response with session id old ! Perhaps something sticks in memory due to the use of FastCGI?
(Note: I removed the second part of the code from an earlier version of this question, because I'm not sure anymore that this is relevant)
EDIT: This http://osdir.com/ml/web.fastcgi.devel/2004-02/msg00007.html seems to describe the behavior that I see
EDIT: As mentioned in the osdir.com post above, FCGI.pm contains this code:
for (keys %FCGI::ENV) { $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_}; }
This seems like a distinct flaw to my eyes. This is a copy from a constant copy of environment variables to a copy of the environment visible to the script when the current request does not provide a value for this variable. Therefore, if the request comes without cookies, it will not determine HTTP_COOKIE, so it will give script cookies from the last request sent to it, which means another session! I donβt understand how this code can be right, and this is a very useful module!
source share