On Wednesday 01 October 2008, [EMAIL PROTECTED] wrote: > On 11:31 am, [EMAIL PROTECTED] wrote: > >None of this is a critical problem, but it does feel a bit strange. Is > >the > >current design motivated by something I haven't understood yet, or is > >it > >something that works well enough in typical use even though it has some > >unexpected special cases? > > Most likely the latter. twisted.web.server.Session was designed years > and years ago, before anyone involved in Twisted really had any idea how > the web worked. It turns out that it works okay for a lot of cases, but > it could definitely be a lot better. > > It sounds like you've got lots of very specific ideas for making it > better. I very much doubt that you're misunderstanding it; please > search around the tracker at <http://twistedmatrix.com/trac/> and find > existing tickets that describe some of these issues (there are bound to > be a few) and feel free to file some new ones. Patches (with tests, of > course) would be very much appreciated.
I looked for tickets describing these issues, and while I found a few that describe related issues, I did not find any that describe the same issues. Therefore, I entered two new tickets about session expiry: Session expiry check frequency should be based on sessionTimeout http://twistedmatrix.com/trac/ticket/3457 Expired session can be revived http://twistedmatrix.com/trac/ticket/3458 While writing the first ticket, I realized that I was mixing up session expiry and session cleanup. Expiry is when the session timeout occurs, while cleanup is when the session object is removed. The implementation also mixes up these concepts though: the callbacks registered with notifyOnExpire() are called on cleanup, not on expiry. It might be possible to fix 3457 in such a way that 3458 would be fixed as well without extra effort: if expired sessions are immediately cleaned up, it is not possible for an expired session to be revived, since it is simply no longer around. I also wrote a ticket about the UIDs generation: Session UID might be predictable http://twistedmatrix.com/trac/ticket/3460 The most important question in this ticket is whether the session UID is indeed supposed to be unpredictable, or whether it is good enough if the UID is unique. Can someone please answer that? And finally a ticket about session cookies and HTTPS: Use secure session cookie when connection is secure http://twistedmatrix.com/trac/ticket/3461 Bye, Maarten
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Twisted-web mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
