1. libqxt Avatar libqxt
  2. Untitled project
  3. libqxt
  4. Issues

Session cookie handling in qxthttpsessionmanager can be improved.

Issue #44 new
Rob van der Meer created an issue
  • Fail: If the client has multiple session cookies, only the first one is read. A new cookie is generated and added on client side, but during the next request the first cookie is read, e.g. again a new cookie is generated. So, all client cookies must be read.
  • Misbehaviour: At least chrome, ask for the favicon with a http get, but without sending cookies during this request. My suggestion would be to only initiate sessions on a http post (e.g. login form).
  • Improvement: If the client already has a session cookie unknown to the server, a new one is generated. In my application is save the server state and restore it on startup. The state of the client is binded to his session cookie, so my preference would be that it reuses the previous session cookie instead of generating a new one.

My scrap code to accomplish this in incomingRequest: <code> bool isPost = header.method().compare("POST") == 0;

int sessionID = 0;

QMultiHash<QString, QString> cookies;
foreach(const QString& cookie, header.allValues("cookie"))   // QHttpHeader is case-insensitive, thankfully
{
    foreach(const QString& kv, cookie.split("; "))
    {
        int pos = kv.indexOf('=');
        if (pos == -1) continue;
        cookies.insert(kv.left(pos), kv.mid(pos + 1));
  }
}

QList<QString> sessionCookies = cookies.values(qxt_d().sessionCookieName);

qxt_d().sessionLock.lock();

for (int s = 0; s < sessionCookies.size(); s++) {
    if (qxt_d().sessionKeys.contains(sessionCookies[s])) {
        //qDebug() << "Session cookie" << sessionCookies[s];
        sessionID = qxt_d().sessionKeys[sessionCookies[s]];
        //qDebug() << "SessionID" << sessionID;
    }

} 

// Create new session if no session is available and the user is posting (prevent favicon gets creating new sessions)
if (sessionID == 0 && isPost) {
    if (sessionCookies.size() > 0) {
        // Create session, based on existing cookie
       sessionID = createService();
        qxt_d().sessionKeys[sessionCookies[0]] = sessionID;
        //qDebug() << "Creating session for existing cookie: " << sessionCookies[0];
    }
}

if (sessionID == 0 && isPost) {
    if (header.majorVersion() > 0 && qxt_d().autoCreateSession) {
        sessionID = newSession();
        //qDebug() << "New session!";
    }

} </code>

Comments (1)

  2. Log in to comment
Assignee
Type
bug
Priority
major
Status
new
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!