 |
|
 |
|
|
 |
cookies generation by session, patch |
 |
 |
|
|
03-21-06 07:52 AM
Hi,
I wrote a simple patch for 'Session.py'. Patch adds possibility to
disable cookies generation by session. And it's optional.
By default cookies generation enabled.
Add Apache directive 'Python Option sessin_cookie_generation 0' for
disabling.
--- mod_python-3.2.8.orig/lib/python/mod_python/Session.py Mon Feb 20
00:51:18 2006
+++ mod_python-3.2.8/lib/python/mod_python/Session.py Tue Mar 21
09:50:46 2006
@@ -138,17 +138,19 @@
dict.__init__(self)
session_cookie_name =
req.get_options().get("session_cookie_name",COOKIE_NAME)
+ session_cookie_generation =
int(req.get_options().get("session_cookie_generation",1))
if not self._sid:
- # check to see if cookie exists
- if secret:
- cookies = Cookie.get_cookies(req,
Class=Cookie.SignedCookie,
- secret=self._secret)
- else:
- cookies = Cookie.get_cookies(req)
+ if session_cookie_generation:
+ # check to see if cookie exists
+ if secret:
+ cookies = Cookie.get_cookies(req,
Class=Cookie.SignedCookie,
+ secret=self._secret)
+ else:
+ cookies = Cookie.get_cookies(req)
- if cookies.has_key(session_cookie_name):
- self._sid = cookies[session_cookie_name].value
+ if cookies.has_key(session_cookie_name):
+ self._sid = cookies[session_cookie_name].value
if self._sid:
# Validate the sid *before* locking the session
@@ -171,7 +173,8 @@
if self._sid: self.unlock() # unlock old sid
self._sid = _new_sid(self._req)
self.lock() # lock new sid
- Cookie.add_cookie(self._req, self.make_cookie())
+ if session_cookie_generation:
+ Cookie.add_cookie(self._req, self.make_cookie())
self._created = time.time()
if timeout:
self._timeout = timeout
[ Post a follow-up to this message ]
|
|
|
 |
|
 |
|
 |
|
|
|
Re: cookies generation by session, patch |
|
|
|
|
03-21-06 12:48 PM
Now can you explain why one would want to do this?
Unless you provide some justification of why it is necessary it is
less likely
to be accepted as although the reasons may be obvious to you, it may not
be to us. There also may be better ways of achieving the same end.
Also, describe why this would be better than simply deleting the cookie
that is being created from the outgoing headers.
del req.headers_out["Set-Cookie"]
Graham
On 21/03/2006, at 7:39 PM, Stanislav Ershov wrote:
> Hi,
> I wrote a simple patch for 'Session.py'. Patch adds possibility to
> disable cookies generation by session. And it's optional.
>
> By default cookies generation enabled.
> Add Apache directive 'Python Option sessin_cookie_generation 0' for
> disabling.
>
> --- mod_python-3.2.8.orig/lib/python/mod_python/Session.py Mon Feb
> 20 00:51:18 2006
> +++ mod_python-3.2.8/lib/python/mod_python/Session.py Tue Mar 21
> 09:50:46 2006
> @@ -138,17 +138,19 @@
> dict.__init__(self)
>
> session_cookie_name = req.get_options().get
> ("session_cookie_name",COOKIE_NAME)
> + session_cookie_generation = int(req.get_options().get
> ("session_cookie_generation",1))
>
> if not self._sid:
> - # check to see if cookie exists
> - if secret:
> - cookies = Cookie.get_cookies(req,
> Class=Cookie.SignedCookie,
> - secret=self._secret)
> - else:
> - cookies = Cookie.get_cookies(req)
> + if session_cookie_generation:
> + # check to see if cookie exists
> + if secret:
> + cookies = Cookie.get_cookies(req,
> Class=Cookie.SignedCookie,
> + secret=self._secret)
> + else:
> + cookies = Cookie.get_cookies(req)
>
> - if cookies.has_key(session_cookie_name):
> - self._sid = cookies[session_cookie_name].value
> + if cookies.has_key(session_cookie_name):
> + self._sid = cookies[session_cookie_name].value
>
> if self._sid:
> # Validate the sid *before* locking the session
> @@ -171,7 +173,8 @@
> if self._sid: self.unlock() # unlock old sid
> self._sid = _new_sid(self._req)
> self.lock() # lock new sid
> - Cookie.add_cookie(self._req, self.make_cookie())
> + if session_cookie_generation:
> + Cookie.add_cookie(self._req, self.make_cookie())
> self._created = time.time()
> if timeout:
> self._timeout = timeout
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: cookies generation by session, patch |
|
|
|
|
03-21-06 10:48 PM
Now that I have some time, I'll explain why I want your reasoning. I
didn't have the time when I sent original email.
The only reason I can think of for Session not to generate a cookie is
because the SID is being extracted from the URL or is being passed by
some mechanism other than as a cookie.
In this case the SID would need to be supplied explicitly when the
Session object is being created:
session = Session(req, sid=value)
When a SID is supplied in this way, the Session object does not attempt
to parse any cookies to get it.
if not self._sid:
# check to see if cookie exists
if secret:
cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie,
secret=self._secret)
else:
cookies = Cookie.get_cookies(req)
if cookies.has_key(session_cookie_name):
self._sid = cookies[session_cookie_name].value
Ie. only uses cookies to get it when self._sid evaluates False.
Since if not using cookies but supplying the SID, the fact that
this happens means that the change:
[vbcol=seagreen]
is possibly redundant. I can't see any sense why if not supplying
the SID that you would want to stop it reading the cookies as
it probably wouldn't be useful.
In respect of writing out a cookie, it could be argued that if you
were supplying your own SID that it shouldn't assume that it should
write the cookie. In that case though, rather than:
[vbcol=seagreen]
it possibly should be:
if not sid:
Cookie.add_cookie(self._req, self.make_cookie())
In other words, don't write out cookie if SID was supplied as input
parameter.
Thus, there wouldn't need to be a reason for a specific Python option
to disable writing of cookie.
So, can you explain what the original problem is you are trying to
solve. On first appearances, your solution would seem to be going
about it the wrong way.
A question for others. Would it be reasonable that a cookie is not
written out if SID was supplied explicitly?
Graham
Graham Dumpleton wrote ..[vbcol=seagreen]
> Now can you explain why one would want to do this?
>
> Unless you provide some justification of why it is necessary it is
> less likely
> to be accepted as although the reasons may be obvious to you, it may not
> be to us. There also may be better ways of achieving the same end.
>
> Also, describe why this would be better than simply deleting the cookie
> that is being created from the outgoing headers.
>
> del req.headers_out["Set-Cookie"]
>
> Graham
>
> On 21/03/2006, at 7:39 PM, Stanislav Ershov wrote:
>
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: cookies generation by session, patch |
|
|
|
|
03-21-06 10:48 PM
Graham Dumpleton wrote:
> Now that I have some time, I'll explain why I want your reasoning. I
> didn't have the time when I sent original email.
>
> The only reason I can think of for Session not to generate a cookie is
> because the SID is being extracted from the URL or is being passed by
> some mechanism other than as a cookie.
>
> In this case the SID would need to be supplied explicitly when the
> Session object is being created:
>
> session = Session(req, sid=value)
>
> When a SID is supplied in this way, the Session object does not attempt
> to parse any cookies to get it.
>
> if not self._sid:
> # check to see if cookie exists
> if secret:
> cookies = Cookie.get_cookies(req, Class=Cookie.SignedCooki
e,
> secret=self._secret)
> else:
> cookies = Cookie.get_cookies(req)
>
> if cookies.has_key(session_cookie_name):
> self._sid = cookies[session_cookie_name].value
>
> Ie. only uses cookies to get it when self._sid evaluates False.
>
> Since if not using cookies but supplying the SID, the fact that
> this happens means that the change:
>
>
>
>
> is possibly redundant. I can't see any sense why if not supplying
> the SID that you would want to stop it reading the cookies as
> it probably wouldn't be useful.
>
> In respect of writing out a cookie, it could be argued that if you
> were supplying your own SID that it shouldn't assume that it should
> write the cookie. In that case though, rather than:
>
>
>
>
> it possibly should be:
>
> if not sid:
> Cookie.add_cookie(self._req, self.make_cookie())
>
> In other words, don't write out cookie if SID was supplied as input
> parameter.
>
> Thus, there wouldn't need to be a reason for a specific Python option
> to disable writing of cookie.
>
> So, can you explain what the original problem is you are trying to
> solve. On first appearances, your solution would seem to be going
> about it the wrong way.
>
> A question for others. Would it be reasonable that a cookie is not
> written out if SID was supplied explicitly?
The only advantage I can see is where the browser is set to notify the
user every time a cookie is set, but those people must have gone crazy
long ago anyway. On the other hand, explicit is better than implicit. On
the other other hand, could there be application code out there that is
setting the sid, but still making use of the cookie? If so, then the
simple "if not sid" check would break their code.
Unless Stanislav can give a good use case, I'd be inclined to leave
things as is.
Jim
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Sponsored Links |
|
|
|
|
 |
All times are GMT. The time now is 02:23 PM. |
 |
|
|
 |
|
 |
|
|
 |
|
Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
|
|
|
|
Medical and Health forum | Computer Games Reviews | Graphics design forum
|
 |
|
 |
|
