[Twisted-web] Session class
exarkun at divmod.com
Fri Oct 3 10:38:53 EDT 2008
On Fri, 3 Oct 2008 13:01:06 +0200, Maarten ter Huurne <maarten at treewalker.org> wrote:
>I looked for tickets describing these issues, and while I found a few that
>describe related issues, I did not find any that describe the same issues.
>Therefore, I entered two new tickets about session expiry:
> Session expiry check frequency should be based on sessionTimeout
> Expired session can be revived
>While writing the first ticket, I realized that I was mixing up session
>expiry and session cleanup. Expiry is when the session timeout occurs,
>while cleanup is when the session object is removed. The implementation
>also mixes up these concepts though: the callbacks registered with
>notifyOnExpire() are called on cleanup, not on expiry.
>It might be possible to fix 3457 in such a way that 3458 would be fixed as
>well without extra effort: if expired sessions are immediately cleaned up,
>it is not possible for an expired session to be revived, since it is simply
>no longer around.
>I also wrote a ticket about the UIDs generation:
> Session UID might be predictable
>The most important question in this ticket is whether the session UID is
>indeed supposed to be unpredictable, or whether it is good enough if the
>UID is unique. Can someone please answer that?
>And finally a ticket about session cookies and HTTPS:
> Use secure session cookie when connection is secure
Thanks a lot for filing these issues, Maarten.
More information about the Twisted-web