ref: cgi/sessions.rb and p.508 of PR book

Problem: expect (as a built-in feature) to be able to 
specify that a new session to be created only if an 
existing one is not found, but seem to only be able to 
overwrite or prevent creation of sessions. 

Hi,

I use the sessions module for my cgi scripts, and still
have a problem regarding how it decides what to do about
a missing session key.

I would like every visitor to resume their session unless it is 
their first visit - in which case I would like to create a new 
session. But I don't know this until I check for an existing session.

When calling CGI::Session.new, if I do not specifically provide a 
session_id or do not specifically ask for a one to be created, 
then I would like the module to check for a session id from the cgi 
instance, and then from the cookies. If it still doesn't have one 
after all this, then I would like for it to create one - regardless
of whether new_session was specified.

The first problem is that if I specify new_session as true, it will 
create a new session *without* even checking the cgi instance or 
cookies. (And thus overwrite the existing session).
If I specify new_session as false, it prevents a new_session from 
being created (by raising an ArgumentError) if an id is not provided 
or not found in the cgi instance or cookies (which is surprising to me).
And if I specify new_session as nil, it still prevents a new session, 
as if false were specified. If I specify anything else, it treats it 
as true.

Yet, it will not raise the ArgumentError if 'new_session' is not
a key in the options hash at all - but will create a new session
anyway after not finding the session_key/_id anywhere else.

***relevant code from sessions.rb:
      session_key = option['session_key'] || '_session_id'
      id, = option['session_id']
      unless id
        if option['new_session']
          id = create_new_id
        end
      end
      unless id
        id, = request[session_key]
        unless id
          id, = request.cookies[session_key]
        end
        unless id
          if option.key?('new_session') and not option['new_session']
            raise ArgumentError, "session_key `%s' should be supplied"%session_key
          end
          id = create_new_id
        end
      end
***

So, the 'new_session' key seems to be ambiguous in meaning. If anything
besides false/nil, it forces a new session; if false/nil it prevents a 
new session; but if not listed, a new session is created if not found 
anywhere else.

But I cannot guarantee that the new_session key will or will not be
an entry in the options hash, and I would certainly like to
guarantee a new session in case I can't recover an existing one.

I temporarily solved my problem by commenting out the three lines
in cgi/sessions.rb that check for the option key and raise the 
ArgumentError.

But of course, upgrading to 1.6.2 broke all my scripts.

I know I can rescue the ArgumentError or keep patching the script every 
upgrade, but I don't think I should have to check for an error in such
a case - this seems to me like something that should be changed  ;-)

Maybe a new flag could be used (to avoid breaking existing scripts that rely
on this strange behavior), that would override 'new_session', and allow one
to distinguish between 'force'-ing a new session, 'prevent'-ing a new session,
and 'ensure'-ing a new session in case an existing one is not found?

Any ideas/comments? 


Guy N. Hurst

-- 
HurstLinks Web Development    http://www.hurstlinks.com/
Norfolk, VA  23510            (757)623-9688 FAX 623-0433
PHP/MySQL - Ruby/Perl - HTML/Javascript