Incorrect handling of session when client-side session id doesn't exists

[vrurg]

The situation is easily reproducible: a session was created and session cookie set on a client. Then session record is removed on server side. The next time the client sends a request server would throw with something like:

Type check failed in binding to parameter '$session'; expected <session class name> but got Any (Any)

This is what I get with Cro::HTTP::Session::Red, but any other session manager class would die similarly if save signature does type checking.

The cause of the problem is very simple. Cro::HTTP::Session::Persistent process-requests method takes no action if session-manager class load method returns an undefined value (i.e. no session found in the records). But later on process-responses method finds a session cookie and assumes that a session object does exists and tries to save it resulting in the above error.

[vrurg]

I tried a workaround which would auto-vivify a session in session-manager load method by creating a new record using supplied session ID. This approach eliminates the error but otherwise it seems to be quite error-prone.

So far, the correct approach looks to be for process-requests to create a new session and update session cookie value.