Search code examples

Cro user session gets forgotten

I'm trying to learn out Cro (and Perl6 simultaneously) ;)

My study app is based on the documentation of Cro. I added some authentication which does work, but the user session gets forgotten immediately.

You can check out the code at go to the login pasge and login with "user" and "pwd". You get rerouted to / (which indicates the login succeeded), but the message there is "Current user: -". So the session gets lost.

The relevant part of Routes.pm6 :

class UserSession does Cro::HTTP::Auth {
    has $.username is rw;

    method logged-in() {
        defined $!username;

my $routes = route {
    subset LoggedIn of UserSession where *.logged-in;

    get -> UserSession $s {
        content 'text/html', "Current user: {$s.logged-in ?? $s.username !! '-'}";

    get -> LoggedIn $user, 'users-only' {
        content 'text/html', "Secret page just for *YOU*, $user.username()";

    get -> 'login' {
        content 'text/html', q:to/HTML/;
            <form method="POST" action="/login">
                Username: <input type="text" name="username" />
                Password: <input type="password" name="password" />
              <input type="submit" value="Log In" />

    post -> UserSession $user, 'login' {
        request-body -> (:$username, :$password, *%) {
            if valid-user-pass($username, $password) {
                $user.username = $username;
                redirect '/', :see-other;
            else {
                content 'text/html', "Bad username/password";

    sub valid-user-pass($username, $password) {
        # Call a database or similar here
        return $username eq 'user' && $password eq 'pwd';

sub routes(Beaverapp $beaverapp) is export {
    route {
        # Apply middleware, then delegate to the routes.
        before Cro::HTTP::Session::InMemory[UserSession].new;
        delegate <*> => $routes;

I think the problem is due to the middleware session management not working. How should I correct this? Or maybe the problem is due to something else?


  • The behavior you saw was indeed caused by a bug in cookie-treatment inside of HTTP/2 stack.

    As for now, the bug is fixed and the code in OP post works.