Re: cookies generation by session, patch

Tue, 21 Mar 2006 13:47:23 -0800 

Now that I have some time, I'll explain why I want your reasoning. I
didn't have the time when I sent original email.

The only reason I can think of for Session not to generate a cookie is
because the SID is being extracted from the URL or is being passed by
some mechanism other than as a cookie.

In this case the SID would need to be supplied explicitly when the
Session object is being created:

  session = Session(req, sid=value)

When a SID is supplied in this way, the Session object does not attempt
to parse any cookies to get it.

        if not self._sid:
            # check to see if cookie exists
            if secret:
                cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie,
                                             secret=self._secret)
            else:
                cookies = Cookie.get_cookies(req)

            if cookies.has_key(session_cookie_name):
                self._sid = cookies[session_cookie_name].value

Ie. only uses cookies to get it when self._sid evaluates False.

Since if not using cookies but supplying the SID, the fact that
this happens means that the change:

> >          if not self._sid:
> > -            # check to see if cookie exists
> > -            if secret:
> > -                cookies = Cookie.get_cookies(req,  
> > Class=Cookie.SignedCookie,
> > -                                             secret=self._secret)
> > -            else:
> > -                cookies = Cookie.get_cookies(req)
> > +            if session_cookie_generation:
> > +                # check to see if cookie exists
> > +                if secret:
> > +                    cookies = Cookie.get_cookies(req,  
> > Class=Cookie.SignedCookie,
> > +                                                 secret=self._secret)
> > +                   else:
> > +                    cookies = Cookie.get_cookies(req)

is possibly redundant. I can't see any sense why if not supplying
the SID that you would want to stop it reading the cookies as
it probably wouldn't be useful.

In respect of writing out a cookie, it could be argued that if you
were supplying your own SID that it shouldn't assume that it should
write the cookie. In that case though, rather than:

> > -            Cookie.add_cookie(self._req, self.make_cookie())
> > +            if session_cookie_generation:
> > +                Cookie.add_cookie(self._req, self.make_cookie())

it possibly should be:

  if not sid:
    Cookie.add_cookie(self._req, self.make_cookie())

In other words, don't write out cookie if SID was supplied as input
parameter.

Thus, there wouldn't need to be a reason for a specific Python option
to disable writing of cookie.

So, can you explain what the original problem is you are trying to
solve. On first appearances, your solution would seem to be going
about it the wrong way.

A question for others. Would it be reasonable that a cookie is not
written out if SID was supplied explicitly?

Graham

Graham Dumpleton wrote ..
> Now can you explain why one would want to do this?
> 
> Unless you provide some justification of why it is necessary it is  
> less likely
> to be accepted as although the reasons may be obvious to you, it may not
> be to us. There also may be better ways of achieving the same end.
> 
> Also, describe why this would be better than simply deleting the cookie
> that is being created from the outgoing headers.
> 
>    del req.headers_out["Set-Cookie"]
> 
> Graham
> 
> On 21/03/2006, at 7:39 PM, Stanislav Ershov wrote:
> 
> > Hi,
> > I wrote a simple patch for 'Session.py'. Patch adds possibility to  
> > disable cookies generation by session. And it's optional.
> >
> > By default cookies generation enabled.
> > Add Apache directive 'Python Option sessin_cookie_generation 0' for 
> > disabling.
> >
> > --- mod_python-3.2.8.orig/lib/python/mod_python/Session.py  Mon Feb  
> > 20 00:51:18 2006
> > +++ mod_python-3.2.8/lib/python/mod_python/Session.py       Tue Mar 21  
> > 09:50:46 2006
> > @@ -138,17 +138,19 @@
> >          dict.__init__(self)
> >
> >          session_cookie_name = req.get_options().get 
> > ("session_cookie_name",COOKIE_NAME)
> > +        session_cookie_generation = int(req.get_options().get 
> > ("session_cookie_generation",1))
> >
> >          if not self._sid:
> > -            # check to see if cookie exists
> > -            if secret:
> > -                cookies = Cookie.get_cookies(req,  
> > Class=Cookie.SignedCookie,
> > -                                             secret=self._secret)
> > -            else:
> > -                cookies = Cookie.get_cookies(req)
> > +            if session_cookie_generation:
> > +                # check to see if cookie exists
> > +                if secret:
> > +                    cookies = Cookie.get_cookies(req,  
> > Class=Cookie.SignedCookie,
> > +                                                 secret=self._secret)
> > +                   else:
> > +                    cookies = Cookie.get_cookies(req)
> >
> > -            if cookies.has_key(session_cookie_name):
> > -                self._sid = cookies[session_cookie_name].value
> > +                if cookies.has_key(session_cookie_name):
> > +                    self._sid = cookies[session_cookie_name].value
> >
> >          if self._sid:
> >              # Validate the sid *before* locking the session
> > @@ -171,7 +173,8 @@
> >              if self._sid: self.unlock() # unlock old sid
> >              self._sid = _new_sid(self._req)
> >              self.lock()                 # lock new sid
> > -            Cookie.add_cookie(self._req, self.make_cookie())
> > +            if session_cookie_generation:
> > +                Cookie.add_cookie(self._req, self.make_cookie())
> >              self._created = time.time()
> >              if timeout:
> >                  self._timeout = timeout

Reply via email to