> > I can see two problems here. The first is that if the target of the > > internal redirect is a part of the URL namespace which is under the > > control of a different handler, or where ApplicationPath option was set > > explicitly to be different, the PYSID would potentially override a valid > > pysid for the alternate SID context provided by the browser. > > I get your point but is this actually a problem? Since it's an internal > redirect, the browser will not be aware it is being redirected, so it > will always send the same PYSID cookie. (Did that sentence make sense?) > > Even if the second handler sets a session cookie with a path for URL2, > the browser will always send the cookie corresponding to URL1.
Probably true. There may be convoluted cases where if someone was doing extra wierd stuff with overriding ApplicationPath and playing with the option being discussed for SessionCookieName, strange things might occur, but if people get that convoluted they get what they deserve. One other aspect of this that I have been thinking about is the feature in there for auto saving and unlocking a session before doing an internal redirect. In doing this you have changed how things work now and it does open up slim chance that existing code could break. Imagine where someone had stored stuff in the session object but then used internal redirect to force a special error response by triggering a handler outside of the session context. They didn't save the session because they wanted to discard their progressive changes. Now that it does an autosave, it may save stuff up code given that people didn't want it saved. Also, you don't recreate the session object after internal redirect has returned. Since internal redirect returns control back to the caller still, there is a chance that someone might be expecting to still be able to use the session object in some way after the internal redirect has returned. Is my memory that internal redirect does return actually right? Have no time now to research it. I thus question whether autosave on redirect is a good idea or not. People can explicitly do it now themselves. If the code is in there, it should perhaps at least be off by default and require an explicit option to turn it on. If it has to be turned on though, people may as well code it themselves. Graham