cookies generation by session, patch
Hi, I wrote a simple patch for 'Session.py'. Patch adds possibility to disable cookies generation by session. And it's optional. By default cookies generation enabled. Add Apache directive 'Python Option sessin_cookie_generation 0' for disabling. --- mod_python-3.2.8.orig/lib/python/mod_python/Session.py Mon Feb 20 00:51:18 2006 +++ mod_python-3.2.8/lib/python/mod_python/Session.py Tue Mar 21 09:50:46 2006 @@ -138,17 +138,19 @@ dict.__init__(self) session_cookie_name = req.get_options().get(session_cookie_name,COOKIE_NAME) +session_cookie_generation = int(req.get_options().get(session_cookie_generation,1)) if not self._sid: -# check to see if cookie exists -if secret: -cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, - secret=self._secret) -else: -cookies = Cookie.get_cookies(req) +if session_cookie_generation: +# check to see if cookie exists +if secret: +cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, + secret=self._secret) + else: +cookies = Cookie.get_cookies(req) -if cookies.has_key(session_cookie_name): -self._sid = cookies[session_cookie_name].value +if cookies.has_key(session_cookie_name): +self._sid = cookies[session_cookie_name].value if self._sid: # Validate the sid *before* locking the session @@ -171,7 +173,8 @@ if self._sid: self.unlock() # unlock old sid self._sid = _new_sid(self._req) self.lock() # lock new sid -Cookie.add_cookie(self._req, self.make_cookie()) +if session_cookie_generation: +Cookie.add_cookie(self._req, self.make_cookie()) self._created = time.time() if timeout: self._timeout = timeout
Re: cookies generation by session, patch
Now can you explain why one would want to do this? Unless you provide some justification of why it is necessary it is less likely to be accepted as although the reasons may be obvious to you, it may not be to us. There also may be better ways of achieving the same end. Also, describe why this would be better than simply deleting the cookie that is being created from the outgoing headers. del req.headers_out[Set-Cookie] Graham On 21/03/2006, at 7:39 PM, Stanislav Ershov wrote: Hi, I wrote a simple patch for 'Session.py'. Patch adds possibility to disable cookies generation by session. And it's optional. By default cookies generation enabled. Add Apache directive 'Python Option sessin_cookie_generation 0' for disabling. --- mod_python-3.2.8.orig/lib/python/mod_python/Session.py Mon Feb 20 00:51:18 2006 +++ mod_python-3.2.8/lib/python/mod_python/Session.py Tue Mar 21 09:50:46 2006 @@ -138,17 +138,19 @@ dict.__init__(self) session_cookie_name = req.get_options().get (session_cookie_name,COOKIE_NAME) +session_cookie_generation = int(req.get_options().get (session_cookie_generation,1)) if not self._sid: -# check to see if cookie exists -if secret: -cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, - secret=self._secret) -else: -cookies = Cookie.get_cookies(req) +if session_cookie_generation: +# check to see if cookie exists +if secret: +cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, + secret=self._secret) + else: +cookies = Cookie.get_cookies(req) -if cookies.has_key(session_cookie_name): -self._sid = cookies[session_cookie_name].value +if cookies.has_key(session_cookie_name): +self._sid = cookies[session_cookie_name].value if self._sid: # Validate the sid *before* locking the session @@ -171,7 +173,8 @@ if self._sid: self.unlock() # unlock old sid self._sid = _new_sid(self._req) self.lock() # lock new sid -Cookie.add_cookie(self._req, self.make_cookie()) +if session_cookie_generation: +Cookie.add_cookie(self._req, self.make_cookie()) self._created = time.time() if timeout: self._timeout = timeout
Re: cookies generation by session, patch
Now that I have some time, I'll explain why I want your reasoning. I didn't have the time when I sent original email. The only reason I can think of for Session not to generate a cookie is because the SID is being extracted from the URL or is being passed by some mechanism other than as a cookie. In this case the SID would need to be supplied explicitly when the Session object is being created: session = Session(req, sid=value) When a SID is supplied in this way, the Session object does not attempt to parse any cookies to get it. if not self._sid: # check to see if cookie exists if secret: cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, secret=self._secret) else: cookies = Cookie.get_cookies(req) if cookies.has_key(session_cookie_name): self._sid = cookies[session_cookie_name].value Ie. only uses cookies to get it when self._sid evaluates False. Since if not using cookies but supplying the SID, the fact that this happens means that the change: if not self._sid: -# check to see if cookie exists -if secret: -cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, - secret=self._secret) -else: -cookies = Cookie.get_cookies(req) +if session_cookie_generation: +# check to see if cookie exists +if secret: +cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, + secret=self._secret) + else: +cookies = Cookie.get_cookies(req) is possibly redundant. I can't see any sense why if not supplying the SID that you would want to stop it reading the cookies as it probably wouldn't be useful. In respect of writing out a cookie, it could be argued that if you were supplying your own SID that it shouldn't assume that it should write the cookie. In that case though, rather than: -Cookie.add_cookie(self._req, self.make_cookie()) +if session_cookie_generation: +Cookie.add_cookie(self._req, self.make_cookie()) it possibly should be: if not sid: Cookie.add_cookie(self._req, self.make_cookie()) In other words, don't write out cookie if SID was supplied as input parameter. Thus, there wouldn't need to be a reason for a specific Python option to disable writing of cookie. So, can you explain what the original problem is you are trying to solve. On first appearances, your solution would seem to be going about it the wrong way. A question for others. Would it be reasonable that a cookie is not written out if SID was supplied explicitly? Graham Graham Dumpleton wrote .. Now can you explain why one would want to do this? Unless you provide some justification of why it is necessary it is less likely to be accepted as although the reasons may be obvious to you, it may not be to us. There also may be better ways of achieving the same end. Also, describe why this would be better than simply deleting the cookie that is being created from the outgoing headers. del req.headers_out[Set-Cookie] Graham On 21/03/2006, at 7:39 PM, Stanislav Ershov wrote: Hi, I wrote a simple patch for 'Session.py'. Patch adds possibility to disable cookies generation by session. And it's optional. By default cookies generation enabled. Add Apache directive 'Python Option sessin_cookie_generation 0' for disabling. --- mod_python-3.2.8.orig/lib/python/mod_python/Session.py Mon Feb 20 00:51:18 2006 +++ mod_python-3.2.8/lib/python/mod_python/Session.py Tue Mar 21 09:50:46 2006 @@ -138,17 +138,19 @@ dict.__init__(self) session_cookie_name = req.get_options().get (session_cookie_name,COOKIE_NAME) +session_cookie_generation = int(req.get_options().get (session_cookie_generation,1)) if not self._sid: -# check to see if cookie exists -if secret: -cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, - secret=self._secret) -else: -cookies = Cookie.get_cookies(req) +if session_cookie_generation: +# check to see if cookie exists +if secret: +cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, + secret=self._secret) + else: +cookies = Cookie.get_cookies(req) -if cookies.has_key(session_cookie_name): -self._sid = cookies[session_cookie_name].value +if
Re: cookies generation by session, patch
Graham Dumpleton wrote: Now that I have some time, I'll explain why I want your reasoning. I didn't have the time when I sent original email. The only reason I can think of for Session not to generate a cookie is because the SID is being extracted from the URL or is being passed by some mechanism other than as a cookie. In this case the SID would need to be supplied explicitly when the Session object is being created: session = Session(req, sid=value) When a SID is supplied in this way, the Session object does not attempt to parse any cookies to get it. if not self._sid: # check to see if cookie exists if secret: cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, secret=self._secret) else: cookies = Cookie.get_cookies(req) if cookies.has_key(session_cookie_name): self._sid = cookies[session_cookie_name].value Ie. only uses cookies to get it when self._sid evaluates False. Since if not using cookies but supplying the SID, the fact that this happens means that the change: if not self._sid: -# check to see if cookie exists -if secret: -cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, - secret=self._secret) -else: -cookies = Cookie.get_cookies(req) +if session_cookie_generation: +# check to see if cookie exists +if secret: +cookies = Cookie.get_cookies(req, Class=Cookie.SignedCookie, + secret=self._secret) + else: +cookies = Cookie.get_cookies(req) is possibly redundant. I can't see any sense why if not supplying the SID that you would want to stop it reading the cookies as it probably wouldn't be useful. In respect of writing out a cookie, it could be argued that if you were supplying your own SID that it shouldn't assume that it should write the cookie. In that case though, rather than: -Cookie.add_cookie(self._req, self.make_cookie()) +if session_cookie_generation: +Cookie.add_cookie(self._req, self.make_cookie()) it possibly should be: if not sid: Cookie.add_cookie(self._req, self.make_cookie()) In other words, don't write out cookie if SID was supplied as input parameter. Thus, there wouldn't need to be a reason for a specific Python option to disable writing of cookie. So, can you explain what the original problem is you are trying to solve. On first appearances, your solution would seem to be going about it the wrong way. A question for others. Would it be reasonable that a cookie is not written out if SID was supplied explicitly? The only advantage I can see is where the browser is set to notify the user every time a cookie is set, but those people must have gone crazy long ago anyway. On the other hand, explicit is better than implicit. On the other other hand, could there be application code out there that is setting the sid, but still making use of the cookie? If so, then the simple if not sid check would break their code. Unless Stanislav can give a good use case, I'd be inclined to leave things as is. Jim
