When I tried this:
while (my $cgi = new CGI::Fast) {
...
my $session = CGI::Session->new(undef, $cgi);
...
}
I discovered that different clients were getting the same session! What would be causing this bizarre session-sharing?
EDIT: I can't reproduce this reliably but in my testing, I have seen cases where I delete the session cookie from the browser, refresh the page, and (using Firebug's Net pane) see that I'm not sending a cookie in the request but get a Set-Cookie in the response with an old session ID! Perhaps something is sticking in memory due to using FastCGI?
(Note: I removed a 2nd piece of code from an earlier version of this question because I'm no longer sure it's relevant)
EDIT: This http://osdir.com/ml/web.fastcgi.devel/2004-02/msg00007.html seems to be describing the behavior I'm seeing
EDIT: As mentioned in the above osdir.com posting, FCGI.pm contains this code:
for (keys %FCGI::ENV) {
$ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
}
This seems quite clearly flawed to my eyes. It is copying from a persistent copy of environment variables into the copy of the environment visible to the script whenever the current request does not supply a value for a given variable. So if a request comes in with no cookies, then it won't find HTTP_COOKIE defined so it will give the script the cookies from the last request that sent them, meaning some other session! I don't get how this code could possibly be correct, and this is a very highly used module!