On Fri, 3 Oct 2008 13:01:06 +0200, Maarten ter Huurne <[EMAIL PROTECTED]> wrote:
[snip]
I looked for tickets describing these issues, and while I found a few that
describe related issues, I did not find any that describe the same issues.
Therefore, I entered two new tickets about session expiry:
Session expiry check frequency should be based on sessionTimeout
http://twistedmatrix.com/trac/ticket/3457
Expired session can be revived
http://twistedmatrix.com/trac/ticket/3458
While writing the first ticket, I realized that I was mixing up session
expiry and session cleanup. Expiry is when the session timeout occurs,
while cleanup is when the session object is removed. The implementation
also mixes up these concepts though: the callbacks registered with
notifyOnExpire() are called on cleanup, not on expiry.
It might be possible to fix 3457 in such a way that 3458 would be fixed as
well without extra effort: if expired sessions are immediately cleaned up,
it is not possible for an expired session to be revived, since it is simply
no longer around.
I also wrote a ticket about the UIDs generation:
Session UID might be predictable
http://twistedmatrix.com/trac/ticket/3460
The most important question in this ticket is whether the session UID is
indeed supposed to be unpredictable, or whether it is good enough if the
UID is unique. Can someone please answer that?
And finally a ticket about session cookies and HTTPS:
Use secure session cookie when connection is secure
http://twistedmatrix.com/trac/ticket/3461
Thanks a lot for filing these issues, Maarten.
Jean-Paul
_______________________________________________
Twisted-web mailing list
[email protected]
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
