[mod_python] Authentification/Session Management

Jorey Bump list at joreybump.com
Fri Oct 29 12:12:55 EDT 2004

Lukas Trejtnar wrote:

> Thank you for the examples. I tried the latter and it worked exactly as 
> I wanted it to work. I reused this example in the PythonAuthenHandler 
> and it worked fine, also. Great, many thanks.

No problem. I've been putting off learning more about sessions because I 
hate to use cookies. I'm glad you asked the question.

If you get a chance, check the code with a variety of browsers. I get 
perfect results  from the latest versions of IE and lynx. Mozilla 1.7.3 
works, but only displays the realm name in the first login box. 
Subsequent logins identify the realm as "" (this may be a display bug, 
since the Live HTTP headers plugin clearly shows the realm name being 
sent from the server -- I'll have to do a proper sniff to see if there 
is any difference).

Opera 7.54 begins the session, but returns an "internal communication 
error" instead of putting up a new login when the max time has elapsed. 
Both the session and authorization code work well standalone, but Opera 
doesn't like the way I combine them.

> I'm a bit curious if it is possible to use session's native functions 
> for the same functionality instead of a reimplementation of the 
> session's timeout.

My guess is that the timeout is really a server side housekeeping 
feature, since it doesn't affect the expiration date of the cookie. And 
the Session.last_accessed() always returns the current time (which is 
probably correct, but begs for the presence of 
Session.time_before_last_accessed()). I think Session.is_new() is meant 
to be used for initialization code, so destroying a user's session to 
gain this functionality seems less than optimum.

I got all of my info here:


but it's a bit terse. Does anyone have an URL for the underlying apache 
session documentation? I can't find it, and the mod_usertrack page is 
pretty lean.

More information about the Mod_python mailing list