The first request to a CGI::Fast daemon is recording certain environment
variables, and later requests are getting these as defaults if none are
defined.
The two which have affected me are HTTP_COOKIE, and PATH_INFO.
If the first request has no value, then all subsequent requests are
fine. However, if the first request has values, then these become
defaults for future requests which otherwise would have no value.
I've tested it both with dynamically starting FastCGIs, and with pre-
initialised ones via FastCGIServer, and both exhibit the same behaviour.
I've attached a test FastCGI script (test1) which illustrates the
problem. If you access it from a browser which has a cookie within the
path, or use an extra path, and then access it from a different browser
with no cookie/path, you get the cookie/path showing up.
This is a pretty big problem for apps which use a cookie to track a
session for authentication. If a pre-existing user accesses the app,
then their session cookie gets saved as the default, and subsequent
anonymous requests show up as authenticated to that user.
There may also be other env vars suffering the same issue, but these
were the two key ones that are impacting my apps.
As some further tests, I tested using just FCGI by itself (see test2).
It did not show the problem.
I then used a FCGI main loop, but using CGI internally (ie; not using
CGI::Fast) (see test3), and it also did not show the problem.
I copied CGI/Fast.pm, and found that if I added:
$Ext_Request = FCGI::Request();
...to BEGIN, if there's no FCGI_SOCKET_PATH, then using CGI::Fast works
fine.
ie;
BEGIN {
# ...
if ($ENV{FCGI_SOCKET_PATH}) {
# ...
}
else
{
$Ext_Request = FCGI::Request();
}
}
It seems that using one request, rather than just calling
FCGI::accept(), works properly.
Before I pinpointed the issue, I updated my CGI perl libs from CPAN, so
am using 3.52. The FCGI lib is 0.7.1. The server runs Debian Linux
5.0.6, with kernel 2.6.31.5. Perl is version 5.10.0.
https://rt.cpan.org/Ticket/Display.html?id=65492