cppcms-users

[Cppcms-users] About exposed cookie management

[redred77 <red...@gm...>]

Hi

I'm testing cppcms, and stuck with cookie management.
This is sample code I'm using.

session().set("test", "testvalue");
session().expose("test");

I could see the cookie exposed like "(prefix)_test".
Also, I could see main encrypted session cookie which contains all info.


It works as intended but when main session expires, things not work as I
expected.
"test" key is gone away since main session cookie was invalid anymore, but
exposed "test" cookie key was still alive and transferred between client
and server.


1. Is it right behaviour? Or have I misconfigured something?
I thought that session() in cppcms guarantees the lifecycle of "main
session key" and "exposed cookie" together.

When session key is invalid anymore, I thought cookie would be deleted too.

I quite don't know the mechanism underlying cppcms, so I want to know if
I'm doing right.




2. Actually, it's not a big problem because I can check "test" key from
session and invalidate from server.
Currently, I'm deleting exposed cookie key like this.


if (!session().is_set("test")) {
session().set("test", "");
session().expose("test");
}


When there's no valid "test" key in session, it makes that key with empty
string and expose it.
I tried many other methods, like hide(), clear(), but only this worked when
previous session already expired.

I feel like I'm doing in inefficient way.


I don't know simpler api from cppcms.
Can anybody suggest better api or approach for deleting plain cookie from
cppcms?



Thanks.

Re: [Cppcms-users] About exposed cookie management

[Artyom B. <art...@ya...>]

What kind of session expiration you use? fixed, renew or browser?
See session cookie and related cookies should have same expiration time.  So when session expiresthe cookie should disappear as well.
I'm thinking that maybe you use browser session and it expires before the browser is closed. And than cookie is not properly deleted because session does not know what keys are exposed there and what shouldbe deleted.
It looks to me like a bug... Also from what  I think it happens only with browser based session (i.e. cookies without max-time/expires properties) that expires before the browser is closed.
Can you confirm and if this is right open a ticket?
As a workaround of the issue you can use
// test if there is no session key but cookie exists.if(!session().is_set("test")    && request().cookies().find("[prefix]_test")!=request().cookies().end()) {    // remove the cookie    response().set_cookie(cppcms::http::cookie("test","",0));
}

Artyom 
 

 
      From: redred77 <red...@gm...>
 To: cpp...@li... 
 Sent: Thursday, December 24, 2015 7:34 PM
 Subject: [Cppcms-users] About exposed cookie management
   
Hi
I'm testing cppcms, and stuck with cookie management.This is sample code I'm using.

session().set("test", "testvalue");session().expose("test");
I could see the cookie exposed like "(prefix)_test".
Also, I could see main encrypted session cookie which contains all info.

It works as intended but when main session expires, things not work as I expected."test" key is gone away since main session cookie was invalid anymore, but exposed "test" cookie key was still alive and transferred between client and server.


1. Is it right behaviour? Or have I misconfigured something?I thought that session() in cppcms guarantees the lifecycle of "main session key" and "exposed cookie" together.
When session key is invalid anymore, I thought cookie would be deleted too.
I quite don't know the mechanism underlying cppcms, so I want to know if I'm doing right.




2. Actually, it's not a big problem because I can check "test" key from session and invalidate from server.
Currently, I'm deleting exposed cookie key like this.


 if (!session().is_set("test")) { session().set("test", ""); session().expose("test"); }

When there's no valid "test" key in session, it makes that key with empty string and expose it.
I tried many other methods, like hide(), clear(), but only this worked when previous session already expired.
I feel like I'm doing in inefficient way.


I don't know simpler api from cppcms.Can anybody suggest better api or approach for deleting plain cookie from cppcms?



Thanks.
------------------------------------------------------------------------------

_______________________________________________
Cppcms-users mailing list
Cpp...@li...
https://lists.sourceforge.net/lists/listinfo/cppcms-users


   

Re: [Cppcms-users] About exposed cookie management

[redred77 <red...@gm...>]

Yeah, I used browser based expiration. It lost session before browser is
closed.

I opened a new ticket for it.
http://sourceforge.net/p/cppcms/bugs/143/


Great to hear new beta release anyway! (I aknowledged this morning. Recent
mail was in spam folder)
Very interesting improvements. Awesome works!


Happy Christmas!


2015-12-25 5:59 GMT+09:00 Artyom Beilis <art...@ya...>:

> What kind of session expiration you use? fixed, renew or browser?
>
> See session cookie and related cookies should have same expiration time.
> So when session expires
> the cookie should disappear as well.
>
> I'm thinking that maybe you use browser session and it expires before the
> browser is closed. And than
> cookie is not properly deleted because session does not know what keys are
> exposed there and what should
> be deleted.
>
> It looks to me like a bug... Also from what  I think it happens only with
> browser based session (i.e. cookies without max-time/expires properties)
> that expires before the browser is closed.
>
> Can you confirm and if this is right open a ticket?
>
> As a workaround of the issue you can use
>
> // test if there is no session key but cookie exists.
> if(!session().is_set("test")
>     &&
> request().cookies().find("[prefix]_test")!=request().cookies().end())
> {
>     // remove the cookie
>     response().set_cookie(cppcms::http::cookie("test","",0));
> }
>
>
> Artyom
>
>
>
> ------------------------------
> *From:* redred77 <red...@gm...>
> *To:* cpp...@li...
> *Sent:* Thursday, December 24, 2015 7:34 PM
> *Subject:* [Cppcms-users] About exposed cookie management
>
> Hi
>
> I'm testing cppcms, and stuck with cookie management.
> This is sample code I'm using.
>
> session().set("test", "testvalue");
> session().expose("test");
>
> I could see the cookie exposed like "(prefix)_test".
> Also, I could see main encrypted session cookie which contains all info.
>
>
> It works as intended but when main session expires, things not work as I
> expected.
> "test" key is gone away since main session cookie was invalid anymore, but
> exposed "test" cookie key was still alive and transferred between client
> and server.
>
>
> 1. Is it right behaviour? Or have I misconfigured something?
> I thought that session() in cppcms guarantees the lifecycle of "main
> session key" and "exposed cookie" together.
>
> When session key is invalid anymore, I thought cookie would be deleted too.
>
> I quite don't know the mechanism underlying cppcms, so I want to know if
> I'm doing right.
>
>
>
>
> 2. Actually, it's not a big problem because I can check "test" key from
> session and invalidate from server.
> Currently, I'm deleting exposed cookie key like this.
>
>
> if (!session().is_set("test")) {
> session().set("test", "");
> session().expose("test");
> }
>
>
> When there's no valid "test" key in session, it makes that key with empty
> string and expose it.
> I tried many other methods, like hide(), clear(), but only this worked
> when previous session already expired.
>
> I feel like I'm doing in inefficient way.
>
>
> I don't know simpler api from cppcms.
> Can anybody suggest better api or approach for deleting plain cookie from
> cppcms?
>
>
>
> Thanks.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users
>
>