[Twisted-Python] usage of sessions in twisted.web?

Glyph Lefkowitz glyph at twistedmatrix.com
Sun Dec 22 12:13:25 EST 2002

There's some good news, and some bad news.  First the bad news:

On Sat, 21 Dec 2002 22:54:06 +0200, Tommi Virtanen <tv at twistedmatrix.com> wrote:

> All in all, I suggest reading ldaptor sources, if you have time and can
> suppress the vomiting reflex -- there are parts that make me sick, too. But
> in general it's starting to shape up nicely.

I just did so.  Ldaptor itself didn't gross me out too much.  However, the
webui module was... unfortunate :-(.  I notice you're using web.widgets (which
we have noisily been attempting to deprecate for the last 3 months or so) for
the UI.  I don't think there's really much of an upgrade path beyond "rewrite
most of your web UI logic", especially if you want to take advantage of some of
the new features coming online in woven.

Now for some good news:

Everything you're doing now will continue to work for quite some time into the
future, since twisted.web.widgets was the only way to do dynamic content in
Twisted for most of its lifetime.  Even the server.Session and
guard.ResourceGuard classes are being left in place and gradually deprecated in
favor of woven.guard.SessionWrapper and woven.guard.PerspectiveWrapper.  You
should be able to migrate one function at a time very gradually.

> Ldaptor uses HTTP sessions for all everything else but read-only
> operations. A connection to the LDAP server is actually stored into the HTTP
> session data. One specific requirement is the ability to expire the HTTP
> session and ask for reauthentication when the LDAP server connection is lost.

The new woven.guard module will feature not only session expiry but
authentication expiry without creating a new session.  Additionally it will
support URL-based sessions if your browser doesn't feel like allowing cookies.

It will also feature a more graceful way to log in to multiple perspectives at
a time.  If your application is amenable to it, you may even be able to perform
a simple sort of web-based capability exchange, where you can temporarily give
another user a limited permission to act as you in some regards but not others,
by exchanging a generated session URL.

> PS. Losing POST form input due to missing authentication sucks. If you can
> find a clean way around that, I would appreciate it.

And of course this will be fixed :-).  There are many reasons why I *wanted* to
rewrite the sessions stuff, but this is why I *had* to do it.  Pretty much
everything in the world that I need to be authenticated involves at least 3
form POSTs.

 |    <`'>    |  Glyph Lefkowitz: Traveling Sorcerer   |
 |   < _/ >   |  Lead Developer,  the Twisted project  |
 |  < ___/ >  |      http://www.twistedmatrix.com      |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20021222/8e02b676/attachment.pgp 

More information about the Twisted-Python mailing list