Jim Gallacher wrote .. > The idea of something like req.get_session() is to give users an obvious > way to grab a session object without the deadlock concerns. How many > times have we seen this kind of problem-code on the mailing list? > > def index(req): > sess = Session.Session(req) > do_stuff(req) > ... > > def do_stuff(req): > sess = Session.Session(req) > ... do other stuff. > > Having the session constructor check for the existence of req.session is > of no use here. We need a way to make sure only *one* session instance > is created per request. (Bonus marks for making it work with internal > redirect).
FWIW, I use the following in a class based authenhandler. thread = threading.currentThread() if self.__cache.has_key(thread): req.session = self.__cache[thread] else: req.session = Session.Session(req) self.__cache[thread] = req.session def cleanup(data): del self.__cache[thread] req.register_cleanup(cleanup) In short, store it in a cache outside of the request object keys by the thread ID. Works for both internal redirects and also for fast redirects as used by DirectoryIndex matching algorithm, although for the latter there are other issues as I have documented in MODPYTHON-146. My thinking keeps changing a bit, but overall I have been leaning towards not having a get_session() like function explicitly provided and instead documenting how to correctly write a authenhandler which can handle form based login with sessions. Ie., use Apache phases properly rather than pushing authentication into content handler phase as most do. Unfortunately, I keep finding things in mod_python that need to be improved or fixed to avoiding having to fudge things, thus haven't presented my code for others to look at yet. :-( Graham