[Twisted-web] _nevow_carryover_

Donovan Preston dp at ulaluma.com
Tue May 10 17:10:25 MDT 2005 

On May 10, 2005, at 2:37 PM, Paul Moore wrote:


> Can someone tell me what the _nevow_carryover_ argument that gets
> added to URLs as part of form processing is for? Is there any way of
> suppressing it (and presumably handling the functionality in an
> alternative way)? It looks session-related, but if I delete it and
> re-enter the base URL, there seems to be no difference.
>
> I've looked at the source code, but it baffles me :-(
>
> Is it another of these redirect loop hacks, like __start_session__?
>

This is used to implement the formless "IHand" when no guard session  
or cookie-based session is present (and it is always used regardless  
of whether they are present).

I know this annoys people. It annoys me that it annoys people :-) But  
I would like to fix it once and for all.

The IHand is the return result of an autocallable. It is stored in a  
global dictionary, keyed by the _nevow_carryover_ value, and after  
the POST to GET redirect occurs (with the _nevow_carryover_ parameter  
added), the value is retrieved out of the dictionary and stored as  
IHand on the context.

Solutions to removing this annoyance:

1) If the autocallable returns None, or returns a Deferred which  
fires with None, do not add _nevow_carryover_ and do not set IHand.  
This will cover a large number of the man-_nevow_carryover_-is- 
annoying cases.

If someone is using formless to expose methods as autocallable, and  
merely does database munging in the autocallable, and does not ever  
return a result, then they will never see _nevow_carryover_.

2) If the user actually is returning values from the autocallable,  
and is actually looking for the result in the IHand of the next  
request: Check to see if there is a guard session. If so, store the  
hand there for the duration of the redirect.

This will solve cases where people actually are using the IHand  
(probably rare) AND are using guard sessions (Probably 100% of the  
rare cases)

3) Finally, if people ARE returning results from autocallables, AND  
ARE NOT using guard AND are still annoyed with _nevow_carryover_, I  
have an idea which involves putting the mini-session key in the <form  
action=""> instead of the redirect. Since users only see the action  
url during the time it takes their browser to redirect, and the  
redirected request can pull the mini-session key out of the referrer,  
this would work.

dp

More information about the Twisted-web mailing list