Commented: (MODPYTHON-59) Add get_session() method to request object
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > Apache Server configuration support > Apache Mod-Python > Commented: (MODPYTHON-59) Add get_session() method to request object




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Commented: (MODPYTHON-59) Add get_session() method to request object  
Graham Dumpleton (JIRA)


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
07-23-05 10:46 PM

[ http://issues.apache.org/jira/brows...2316
578 ]

Graham Dumpleton commented on MODPYTHON-59:
-------------------------------------------

There is a potential issue with the way that PYSID is stored in the
subprocess_env table and then used to reconstruct the session object
after an internal redirect.

I can see two problems here. The first is that if the target of the
internal redirect is a part of the URL namespace which is under the
control of a different handler, or where ApplicationPath option was set
explicitly to be different, the PYSID would potentially override a valid
pysid for the alternate SID context provided by the browser.

The second problem is that an internal redirect could redirect to a
different part of the URL namespace where the PythonOption for "session"
is set differently. This could for example result in an instance of
Session being created initially but an attempt to create a FileSession
object after the redirect.

In the second case, if the redirect was to a part of the URL namespace
notionally under the same ApplicationPath (implicit or explicit), it is
probably a mistake on the part of the programmer to have specified
different session types within the same SID context. It still could occur
in conjunction with the first case though.

Is my analysis here correct? Along with PYSID it may be necessary to
save away the equivalent of the ApplicationPath (implicit or explicit)
and for the PYSID to be ignored if the target of the internal redirect is
within a different SID context. It would get harder to protect if there were
multiple nested applications of internal redirect. Ie., where you end up
with REDIRECT_PYSID, REDIRECT_REDIRECT_PYSID etc.

> Add get_session() method to request object
> ------------------------------------------
>
>          Key: MODPYTHON-59
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-59
>      Project: mod_python
>         Type: New Feature
>   Components: core
>     Versions: 3.2.0
>  Environment: All
>     Reporter: Jim Gallacher

>
> Users will get session instances by calling req.get_session(). If a session alread
y exists it will be returned, otherwise a new session instance will be created. Sess
ion configuration will be handled using apache directives rather than within their c
ode




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 11:20 AM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register