[Twisted-web] Session class
Jean-Paul Calderone
exarkun at divmod.com
Fri Oct 3 10:38:53 EDT 2008
On Fri, 3 Oct 2008 13:01:06 +0200, Maarten ter Huurne <maarten at treewalker.org> wrote:
> [snip]
>
>I looked for tickets describing these issues, and while I found a few that
>describe related issues, I did not find any that describe the same issues.
>Therefore, I entered two new tickets about session expiry:
>
> Session expiry check frequency should be based on sessionTimeout
> http://twistedmatrix.com/trac/ticket/3457
>
> Expired session can be revived
> http://twistedmatrix.com/trac/ticket/3458
>
>While writing the first ticket, I realized that I was mixing up session
>expiry and session cleanup. Expiry is when the session timeout occurs,
>while cleanup is when the session object is removed. The implementation
>also mixes up these concepts though: the callbacks registered with
>notifyOnExpire() are called on cleanup, not on expiry.
>
>It might be possible to fix 3457 in such a way that 3458 would be fixed as
>well without extra effort: if expired sessions are immediately cleaned up,
>it is not possible for an expired session to be revived, since it is simply
>no longer around.
>
>I also wrote a ticket about the UIDs generation:
>
> Session UID might be predictable
> http://twistedmatrix.com/trac/ticket/3460
>
>The most important question in this ticket is whether the session UID is
>indeed supposed to be unpredictable, or whether it is good enough if the
>UID is unique. Can someone please answer that?
>
>And finally a ticket about session cookies and HTTPS:
>
> Use secure session cookie when connection is secure
> http://twistedmatrix.com/trac/ticket/3461
>
Thanks a lot for filing these issues, Maarten.
Jean-Paul
More information about the Twisted-web
mailing list