[mod_python] Sessions and problems with cookie path attribute

Daniel J. Popowich dpopowich at mtrsd.k12.ma.us
Fri Dec 19 16:31:45 EST 2003

I had a serious problem getting sessions to work with an app I'm
writing (modpython 3.1.2b, httpd-2.0.40, python 2.3.2) and after
browsing the archives I've seen others getting bitten by the same

Session ids are stored on the client as a cookie with name pysid.
This is fine and the cookie gets stored, but the path attribute can
get badly mangled by the code in Session.BaseSession.make_cookie(), in
particular, this section:

        if config.has_key("ApplicationPath"):
            c.path = config["ApplicationPath"]
            docroot = self._req.document_root()
            # the path where *Handler directive was specified
            dirpath = self._req.hlist.directory 
            c.path = dirpath[len(docroot):]

If you don't have AppliationPath set as a PythonOption and your
handler isn't in a <Directory> under DocumentRoot you're probably
going to have trouble.  Two scenarios hurt me:

  1.  using a handler inside a <Location>.  There is no path.  My
      browser (galeon 1.2.7) hung for infinity on reloads.  Never
      could figure out why.

  2.  using mod_python under UserDir directories.  I do this for
      prototyping because it's so easy to tweak a .htaccess file under
      a ~username/public_html subdirectory and you don't have to
      restart/reload apache to see your changes.  In this situation
      the length of DocumentRoot has no relationship to the URIs so
      the path attribute of the cookie gets oddly chopped at the
      head.  I kept getting new sessions because the browser wasn't
      sending the cookie because of paths not matching the uri.

I believe the same problem will occur under certain circumstances if
Alias directives affect mod_python usage although I haven't tested

I think the ELSE clause above is trying to do something that can't be
done easily: extract the leading uri of the handler.  With Alias,
UserDir and Location directives, it's pretty difficult.  Is it
possible?  Perhaps the code shouldn't try to be so clever.  Default
the path to "/" unless the Session constructor overrides the value??

My temporary fix is to always explicitly use ApplicationPath.  Setting
it to "/" is certainly general enough for my prototyping.

Minimally, I think the documentation for Session should devote some
space to addressing and clarifying this issue.

Daniel Popowich
Network Specialist
Mohawk Trail Regional School District
24 Ashfield Rd.
Shelburne Falls, MA 01370
413.625.0192 x22

More information about the Mod_python mailing list