From: Tomas Doran <bobtfish@bobtfish.net>
Date: Thu, 9 Apr 2009 21:38:42 +0000 (+0000)
Subject: Add doc notes
X-Git-Tag: v0.10012~7
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=0c4fbc79e50eadae9616dab21b9be132ed6cc98c;p=catagits%2FCatalyst-Plugin-Authentication.git

Add doc notes
---

diff --git a/Changes b/Changes
index f8a1ff2..0935eff 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,7 @@
 Revision history for Perl extension Catalyst::Plugin::Authentication
 
+      - Note about session auto-vification even when use_session is set
+        to false (robert).
       - Note about how a realms key used to be needed to unconfuse people
         running an old version, but browsing the docs on search.cpan (ruoso)
 
diff --git a/lib/Catalyst/Plugin/Authentication.pm b/lib/Catalyst/Plugin/Authentication.pm
index 8119e49..1ea5b7a 100644
--- a/lib/Catalyst/Plugin/Authentication.pm
+++ b/lib/Catalyst/Plugin/Authentication.pm
@@ -807,9 +807,15 @@ L</COMPATIBILITY CONFIGURATION> for more information
 =item use_session
 
 Whether or not to store the user's logged in state in the session, if the
-application is also using L<Catalyst::Plugin::Session>. This 
+application is also using L<Catalyst::Plugin::Session>. This
 value is set to true per default.
 
+However, even if use_session is disabled, if any code touches $c->session, a session
+object will be auto-vivified and session Cookies will be sent in the headers. To
+prevent accidental session creation, check if a session already exists with
+if ($c->sessionid) { ... }. If the session doesn't exist, then don't place
+anything in the session to prevent an unecessary session from being created.
+
 =item default_realm
 
 This defines which realm should be used as when no realm is provided to methods