[Twisted-Python] twisted.web.woven.guard.SessionWrapper problems

Glyph Lefkowitz glyph at twistedmatrix.com
Mon May 12 20:13:08 MDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Monday, May 12, 2003, at 02:26 AM, Matthias Urlichs wrote:

> Some browsers, including wget, don't like _at_all_ when you have a 
> cycle
> in your redirections, even though they should notice that they now 
> have a
> cookie while formerly they didn't.

I guess they really expect GET to be idempotent :-\

> Therefore I propose to rewrite the SessionWrapper to always change the
> user's path, like this (the string "sp" is self.cookieKey):
[...]
> so that access with no session can be distinguished from a plain link 
> into
> /sessionized-url/foo; the latter means the user might want to log in, 
> but
> the former should tell the user that their session has timed out before
> offering the login page.

What's problematic about this is that if the user bookmarks a page, or 
exchanges a link, I want to initialize the session without changing the 
URL.  In fact, it's somewhat pointless to have a URL (stateless 
location identifier) that specifically only works if you've initiated a 
stateful conversation.

Maybe there are some ways we could monkey with HTTP to cause browsers 
to be happier here: would a 307 (Temporary Redirect) be more 
appropriate than a 302 (Found)?  Or perhaps would these browsers be 
happier if we redirected them to 
/sessionized-url/foo?__session_just_started__=1 rather than 
/sessionized-url/foo ?  It would be unusual to bookmark that URL, since 
the extra crud would only be on the first URL you hit, and if you did 
we could always remove the query string rather than adding it.

> An additional advantage of this scheme would be that
> .../unsessionized-url/ can be reaced with a constant number of 
> backpaths.

This, however, I like.  I don't know if cookieKey is the right thing to 
use in the URL there, but having relative URLs that match regardless of 
your session negotiation strategy is a _big_ plus.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+wFS5vVGR4uSOE2wRAlzZAKCWJNdUbR50hLtilqFZ1NGJ2pP+TQCfYEv0
VCGTwm8HaTHXr3fscnBcU9U=
=8g4b
-----END PGP SIGNATURE-----

More information about the Twisted-Python mailing list