[mod_python] Question about Session security

Graham Dumpleton grahamd at dscpl.com.au
Wed Jun 15 19:54:08 EDT 2005


Okay, badly thought out response which I am sure you will point
out. The autosave option if done would still be optionally enabled
at point of creation of session or something. The save could be
done at same point unlock is done by registered cleanup handler
for session object.

Ie., as long as autesave isn't the default and is only on by explicit
choice made by the user when they create the session. That way
others can still made autosave themselves in other ways.

Graham Dumpleton wrote ..
> Jim Gallacher wrote ..
> > Dan Eloff wrote:
> > > Good point, mod_python is very flexible. I really like that.
> > > 
> > > I have one more question about sessions. Are they saved automatically,
> > > or do I have to explicitly call .save()?
> > 
> > You must call save(). I have been thinking about an autosave though.
> > Anyone else have any thoughts?
> 
> I would vote for NO autosave.
> 
> It is like the IP issue on Session object, by adding it you are potentially
> restricting in what ways it can be used. Ie., what if I want to bail and
> out
> of a request without saving anything, how would I stop it from saving.
> 
> The ability to save a session object automatically is something that people
> can do easily enough within their own frameworks if they want to, so it
> is probably better off left that way.
> 
> Graham
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python


More information about the Mod_python mailing list