CGI::Session sharing sessions between clients!

Question

When I tried this:

while (my $cgi = new CGI::Fast) {
    ...
    my $session = CGI::Session->new(undef, $cgi);
    ...
 }

I discovered that different clients were getting the same session! What would be causing this bizarre session-sharing?

EDIT: I can't reproduce this reliably but in my testing, I have seen cases where I delete the session cookie from the browser, refresh the page, and (using Firebug's Net pane) see that I'm not sending a cookie in the request but get a Set-Cookie in the response with an old session ID! Perhaps something is sticking in memory due to using FastCGI?

(Note: I removed a 2nd piece of code from an earlier version of this question because I'm no longer sure it's relevant)

EDIT: This http://osdir.com/ml/web.fastcgi.devel/2004-02/msg00007.html seems to be describing the behavior I'm seeing

EDIT: As mentioned in the above osdir.com posting, FCGI.pm contains this code:

for (keys %FCGI::ENV) {
    $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
}

This seems quite clearly flawed to my eyes. It is copying from a persistent copy of environment variables into the copy of the environment visible to the script whenever the current request does not supply a value for a given variable. So if a request comes in with no cookies, then it won't find HTTP_COOKIE defined so it will give the script the cookies from the last request that sent them, meaning some other session! I don't get how this code could possibly be correct, and this is a very highly used module!

Answer 1

I fixed this bug about seven months ago, you need to upgrade CGI.pm to >= 3.56. CGI::Fast was using an FCGI API that was deprecated and removed from documentation more than ten years ago.