• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3523: CGI session files may contain newlines

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine Client Normal Closed   patch 4.1.1

Edit Form Data

Reported By:
Applies To:
Current State:
Waiting For:
Target Release:
Released In:


The session expiration code in TWiki::Client::expireDeadSessions() says:

                open(F, $file) || next;
                my $session = <F>;
                close F;

However, session files may contain newlines in string variables; this can be easily confirmed by inspecting the session files or with wc -l. That means this code won't work and sessions won't be expired correctly. More generally, it seems better to expire sessions that have errors upon read, instead of skipping them (i.e. leaving them around forever), as the current code does.

Well spotted!

Yes, it would be better to expire erroneous sessions. I guess they got left there to assist the debug process.

I realised that the repported issue with session evaluationwas in fact a red herring; the code had been hacked so that no non-zero session file passed the first condition.

So I rewrote the code more sensibly and safely.

Patch candidate?


After another round of good discussion Crawford and I agreed that the best solution is never to read the session files at all in connection with expiry.

We do not have any feature where the expiry of the cookie file is not equal to the mtime (modification time) of the file + the expiry setting from configure.

So we can expire the cookies entirely from the timestamp that the OS gives and perl gives us vis stat.

The CGI::Session module writes to the session file each time we access any topic with a browser. Inside the cookie access time and expiry time is set. So this also resets the modification time to now. And we can take advantage of this.

So I have checked in a very simple replacement of the old function that does this.

It is much faster!

And much safer because we no longer read anything from the session file except through CGI::Session where security is handled much better than we can ever do in our own code.

-- KennethLavrsen - 31 Jan 2007

Also merged to Patch04x01 so fix is in 4.1.1

-- TWiki:Main.KennethLavrsen - 31 Jan 2007

Cleaned "WaitingFor" field.

-- TWiki:Main.GilmarSantosJr - 10 Aug 2008

Summary CGI session files may contain newlines
ReportedBy TWiki:Main.AndrewMoise
Codebase 4.0.4
SVN Range

AppliesTo Engine
Component Client
Priority Normal
CurrentState Closed

Checkins 12688 12696 12697
TargetRelease patch
ReleasedIn 4.1.1
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r10 - 2008-08-10 - GilmarSantosJr
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback