Session does not expire in Mojolicious

3
votes

I have a Mojolicious application and a bridge for authentication. This is my scenario:
I have a set of standard error response in the database which I query by passing in a value, say, return a 404 with a detailed error response. The database would have common details the correspond to the error while other user specific details such as ip and user name is obtained from the controller. Kindly have a look at this link on how the error response is built. I have a helper which gets an instance of the controller and error code to generate the required response. I use the controller object to query the db through the resultset of the table that contains the error response. Through the controller I also get the user specific details required to create the response. The response is then created, sent back to the controller which is then returned as a Json.
My problem is on log out, I set $self->session(expires => 1) which invalidates the session. On an attempt to logout again, I use the controller to access the helper build an error response and send it to the client. Now any attempt to access any of the URI is made futile for the first attempt by the following check.

unless($self->session('user')) {
    my $res = Controller::Helper->error_res($self, 403);
    $self->render_json($res, status => $res->{httpstatuscode});
    return;
    }

This check works for the first time, but when I try to access the resource again(any number of times), this check fails and the resource is accessed without login. When i look at the cookie a new cookie is created. Where am I going wrong here? And what would be the best way to handle such issues? The helper function looks like this 

error_res{ 
    my($self,$c,$res) = @_; 
    my @arref = $c->db->resultset('Errorcode')->select_row($res);
    my $ref=$arref[0];
    $ref->{user}=$c->session->{user}->{name};
    $ref->{request}=$c->req->method."".join("\\",$c->req->url->path);
    $ref->{time}=scalar localtime();
    return $ref;
}

Where res is and id in the database that would identify the particular error.

So, is it to do with reference of controller still being available in the helper? When I undef $c in helper it does not help.
Edit 1: Am I missing some point here and is this the right way?
Edit 2: I invalidate the user on logout. When the user tries to logout again I return an error with additional information about the error. But while creating the additional information about the error, a new session is created with no user info. This does not happen if I do the following 

unless($self->session('user')) {
    $self->render_json("message:User has not logged in", status => 403);
    return;
}
2
perlsessionmojolicious
Do I understand that you are invalidating the session cookie on every request? Perhaps you should explain the user interaction flow, I cannot understand what the correct and incorrect behavior is. - Joel Berger
@JoelBerger I have edited the question to answer your question, hope it helps in understanding this question. - Ha Sh
Your edit (2) appears to behave as I would expect. When the user is logged out, (s)he would have no user key in the new session cookie. I do a similar check in my CMS Galileo - Joel Berger
@JoelBerger, unfortunately the application does create a user key with no value in when I build the error response through Controller::Helper but not with the response I send out as in edit 2. So, the user key is defined and the check fails, I can check for the existence of value, but is the behavior correct? - Ha Sh

2 Answers

3
votes

So I figured out the answer, the odd behavior was due do the autovivification feature of perl. It involves dynamic creation of data structures. In my case, I try to get the name of the user through the session cookie at 

$ref->{user}=$c->session->{user}->{name};

When the user is not logged in, user key is not set in the session but I try to get name through this key when creating the error response. This results in the creation of user with no value. A check on if the user key exists solved the issue.

1
votes

After reading the comments, I'm rather certain that the framework is behaving as expected. The application logic may need to be changed (as has been demonstrated in edit 2).

The reason is that, the session is just a hashref, serialized to JSON, signed, and stored in a cookie. If you create the key, then its there. I'm not sure what else to tell you.

And yes a new session cookie is created immediately following the expiration of the previous one. This is necessary for the framework, and fully expected.