cookie "plack_session" set twice when using session "PSGI"

[nicolasfranck]

I noticed the following weird behaviour when using Dancer in combination with
Plack::Middleware::Session.

Imaging this simple app with files:

config.yml:

session: "PSGI"
log: "debug"
logger: "console"
warnings: 1
show_errors: 1
route_cache: 0

app.pl:

#!/usr/bin/env perl
use strict;
use Dancer;
use Plack::Builder;
use Plack::Session::State::Cookie;

get "/" => sub {
    content_type "text/plain";
    #when session is not used, dancer won't write the cookie plack_session
    session( flag => "true");
    "ok";
};

my $app = sub {
  Dancer->dance(Dancer::Request->new(env => $_[0]));
};

builder {
    enable "Session",
        state => Plack::Session::State::Cookie->new(
            path => "/",
            httponly => 1,
            samesite => "Strict"
        ),
        store => "File";
    $app;
};

Start the app:

plackup app.pl

Now call this command:

$ curl --ipv4 -v "http://localhost:5000/"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5000 (#0)
> GET / HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.54.0
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Sat, 24 Oct 2020 11:51:26 GMT
< Server: HTTP::Server::PSGI
< Server: Perl Dancer 1.3513
< Content-Length: 2
< Content-Type: text/plain
< Set-Cookie: plack_session=591691120650231880599938160068176594; path=/; HttpOnly
< X-Powered-By: Perl Dancer 1.3513
< Set-Cookie: plack_session=a91cf7ff9af6f744cc2461df9f82cbf4279036ce; path=/; SameSite=Strict; HttpOnly
< 
* Closing connection 0

What is weird: the cookie "plack_session" is repeated, once with the default settings, and once with the settings
from the Plack middleware.

I looked around in the code, and it saw that Dancer::Response::add_cookie is called from Dancer::Cookies
with arguments plack_session and a Dancer::Cookie object. That explains the first cookie. The second
cookie is explained by the plack middleware. So Dancer still tries to write the session cookie, even though
the configuration forbids it?

I do not know how the browser and/or the server deal with this situation (only use the last cookie with that name?),
but when the cookie flag should be "secure", it should be secure, and not repeating the same value in another
cookie..

Any idea?

[nicolasfranck]

a quick "fix" could be to write a second Dancer::Session::PSGI2, that overrides the method write_session_id
from Dancer::Session::Abstract, but the code clearly states that those lines should not be overwritten (although
this code works..).

package Dancer::Session::PSGI2;
use strict;
use warnings;
use base "Dancer::Session::PSGI";

#overwrite write_session_id from Dancer::Session::Abstract that causes the duplicated cookie plack_session
sub write_session_id {}

1;

and set session: PSGI2