[Twisted-Python] Sessions and URLs

Edmund Dengler edmundd at eSentire.com
Sat Aug 9 12:45:30 EDT 2003

Hi all!

Dug into the library. It looks like woven.guard.SessionWrapper is setup
to return a child EVEN IF YOU DO NOT HAVE A SESSION!!.

Basically. the code structure of getChild() looks like (I could be wrong
in my understanding, so please correct if I am making a mistake):

     some setup stuff
     if we have a session key as the next bit in the path
       if the key matches the cookie
         we have cookies enabled, get rid of the embedded key
       else (cookies are disabled, keep the key)
     elif we have a cookie from the browser
     elif we are explicitely calling "session-init"
     else (we do not have a cookie anywhere)
       return the child anyways!!!

So, the code is structured such that a cookie is not available, the normal
children still get returned. Is this suppose to be how it works? Should
this be changed so that a flag is available for "force session"? Or should
a session always be forced (no option)?

Should we have a pattern such as "session-name:cookie" so we can do a
pattern match for old sessions no longer cached (and force a new session)?


More information about the Twisted-Python mailing list