[Twisted-web] Session class

Jean-Paul Calderone exarkun at divmod.com
Fri Oct 3 10:38:53 EDT 2008

On Fri, 3 Oct 2008 13:01:06 +0200, Maarten ter Huurne <maarten at treewalker.org> wrote:
> [snip]
>I looked for tickets describing these issues, and while I found a few that
>describe related issues, I did not find any that describe the same issues.
>Therefore, I entered two new tickets about session expiry:
>  Session expiry check frequency should be based on sessionTimeout
>  http://twistedmatrix.com/trac/ticket/3457
>  Expired session can be revived
>  http://twistedmatrix.com/trac/ticket/3458
>While writing the first ticket, I realized that I was mixing up session
>expiry and session cleanup. Expiry is when the session timeout occurs,
>while cleanup is when the session object is removed. The implementation
>also mixes up these concepts though: the callbacks registered with
>notifyOnExpire() are called on cleanup, not on expiry.
>It might be possible to fix 3457 in such a way that 3458 would be fixed as
>well without extra effort: if expired sessions are immediately cleaned up,
>it is not possible for an expired session to be revived, since it is simply
>no longer around.
>I also wrote a ticket about the UIDs generation:
>  Session UID might be predictable
>  http://twistedmatrix.com/trac/ticket/3460
>The most important question in this ticket is whether the session UID is
>indeed supposed to be unpredictable, or whether it is good enough if the
>UID is unique. Can someone please answer that?
>And finally a ticket about session cookies and HTTPS:
>  Use secure session cookie when connection is secure
>  http://twistedmatrix.com/trac/ticket/3461

Thanks a lot for filing these issues, Maarten.


More information about the Twisted-web mailing list