Do Mojolicious plugins mess with session data?

[jayjay73]

First off, I'm probably doing something I shouldn't. That is I am calling multiple authentication plugins several times directly after one another. Each call uses a different backend and after one succeeds the loop terminates. This lets me use multiple auth backends without having to chose one beforehand.

        my $auth_ok;
        foreach my $am (@auth_modules) {
            $auth_ok= $modules->{$am}{auth}($c);
            if ($auth_ok) { last };
        }

This works fine until after one of the Mojolicious plugins like Mojolicious::Plugin::BasicAuthPlus is called and fails to authenticate. After that, it seems, no further authentication will succeed, ever.

What happens is that the next redirect eats some of the session data from $c->session.

Directly before redirect:

$c->session = { 
                'expires' => 1758258223,
                'redirecting_page' => '/dashboard',
                'login_ok' => 1,
                'username' => 'test1',
                'fresh_auth' => 0
              };

Directly after redirect:

$c->session = { 
                'redirecting_page' => '/dashboard',
                'fresh_auth' => 0,
                'username' => ''
              };

When external (i.e. non-Mojolicious) authentication plugins fail this does not happen. Both session dumps look the same in that case, as they should.

So here's my question: Does the Mojolicious plugin system somehow ensure that session data is pruned in case of an authentication failure? I was of the impression that Mojolicious plugins worked by just giving a return value back.

Or should I consider this behaviour a bug?

TIA guys and thanks for the otherwise awesome framework!

[kraih]

No, outside of session expiration and flash the sessions should not be changed by Mojolicious itself.