Graham Dumpleton wrote:
Now that I have some time, I'll explain why I want your reasoning. I
didn't have the time when I sent original email.
The only reason I can think of for Session not to generate a cookie is
because the SID is being extracted from the URL or is being passed by
some mechanism other than as a cookie.
In this case the SID would need to be supplied explicitly when the
Session object is being created:
session = Session(req, sid=value)
When a SID is supplied in this way, the Session object does not attempt
to parse any cookies to get it.
if not self._sid:
# check to see if cookie exists
if secret:
cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie,
secret=self._secret)
else:
cookies = Cookie.get_cookies(req)
if cookies.has_key(session_cookie_name):
self._sid = cookies[session_cookie_name].value
Ie. only uses cookies to get it when self._sid evaluates False.
Since if not using cookies but supplying the SID, the fact that
this happens means that the change:
if not self._sid:
- # check to see if cookie exists
- if secret:
- cookies = Cookie.get_cookies(req,
Class=Cookie.SignedCookie,
- secret=self._secret)
- else:
- cookies = Cookie.get_cookies(req)
+ if session_cookie_generation:
+ # check to see if cookie exists
+ if secret:
+ cookies = Cookie.get_cookies(req,
Class=Cookie.SignedCookie,
+ secret=self._secret)
+ else:
+ cookies = Cookie.get_cookies(req)
is possibly redundant. I can't see any sense why if not supplying
the SID that you would want to stop it reading the cookies as
it probably wouldn't be useful.
In respect of writing out a cookie, it could be argued that if you
were supplying your own SID that it shouldn't assume that it should
write the cookie. In that case though, rather than:
- Cookie.add_cookie(self._req, self.make_cookie())
+ if session_cookie_generation:
+ Cookie.add_cookie(self._req, self.make_cookie())
it possibly should be:
if not sid:
Cookie.add_cookie(self._req, self.make_cookie())
In other words, don't write out cookie if SID was supplied as input
parameter.
Thus, there wouldn't need to be a reason for a specific Python option
to disable writing of cookie.
So, can you explain what the original problem is you are trying to
solve. On first appearances, your solution would seem to be going
about it the wrong way.
A question for others. Would it be reasonable that a cookie is not
written out if SID was supplied explicitly?
The only advantage I can see is where the browser is set to notify the
user every time a cookie is set, but those people must have gone crazy
long ago anyway. On the other hand, explicit is better than implicit. On
the other other hand, could there be application code out there that is
setting the sid, but still making use of the cookie? If so, then the
simple "if not sid" check would break their code.
Unless Stanislav can give a good use case, I'd be inclined to leave
things as is.
Jim
