[mod_python] Sessions and problems with cookie path attribute

Daniel J. Popowich dpopowich at mtrsd.k12.ma.us
Mon Dec 22 11:02:45 EST 2003

> I had a serious problem getting sessions to work with an app I'm
> writing (modpython 3.1.2b, httpd-2.0.40, python 2.3.2) and after
> browsing the archives I've seen others getting bitten by the same
> problem...
> Session ids are stored on the client as a cookie with name pysid.
> This is fine and the cookie gets stored, but the path attribute can
> get badly mangled by the code in Session.BaseSession.make_cookie(), in
> particular, this section:
>         if config.has_key("ApplicationPath"):
>             c.path = config["ApplicationPath"]
>         else:
>             docroot = self._req.document_root()
>             # the path where *Handler directive was specified
>             dirpath = self._req.hlist.directory 
>             c.path = dirpath[len(docroot):]
> If you don't have AppliationPath set as a PythonOption and your
> handler isn't in a <Directory> under DocumentRoot you're probably
> going to have trouble.  Two scenarios hurt me:
>   1.  using a handler inside a <Location>.  There is no path.  My
>       browser (galeon 1.2.7) hung for infinity on reloads.  Never
>       could figure out why.
>   2.  using mod_python under UserDir directories.  I do this for
>       prototyping because it's so easy to tweak a .htaccess file under
>       a ~username/public_html subdirectory and you don't have to
>       restart/reload apache to see your changes.  In this situation
>       the length of DocumentRoot has no relationship to the URIs so
>       the path attribute of the cookie gets oddly chopped at the
>       head.  I kept getting new sessions because the browser wasn't
>       sending the cookie because of paths not matching the uri.
> I believe the same problem will occur under certain circumstances if
> Alias directives affect mod_python usage although I haven't tested
> this.
> I think the ELSE clause above is trying to do something that can't be
> done easily: extract the leading uri of the handler.  With Alias,
> UserDir and Location directives, it's pretty difficult.  Is it
> possible?  Perhaps the code shouldn't try to be so clever.  Default
> the path to "/" unless the Session constructor overrides the value??
> My temporary fix is to always explicitly use ApplicationPath.  Setting
> it to "/" is certainly general enough for my prototyping.
> Minimally, I think the documentation for Session should devote some
> space to addressing and clarifying this issue.

I need to correct myself.  The problem does not occur inside
<Location> directives (the hanging problem I referred to was a bug in
my application: my session instance was not being garbage collected).
In fact, when using Sessions inside <Location> URIs no path attribute
is specified in the Cookie, so it is ALWAYS sent back to the server.

However, I have confirmed that this problem exists for uses of Session
within handlers referenced via Alias directives.

In summary, if you use Sessions in handlers referenced via UserDir or
Alias directives you have to use "PythonOption ApplicationPath ..." in
your config.

Daniel Popowich
Network Specialist
Mohawk Trail Regional School District
24 Ashfield Rd.
Shelburne Falls, MA 01370
413.625.0192 x22

More information about the Mod_python mailing list