[mod_python] the domain name in mod_python's session/cookiemanagement

Graham Dumpleton grahamd at dscpl.com.au
Mon Mar 20 17:37:37 EST 2006


Kevin Wang wrote ..
> Hi All,
> 
> When a new session/cookie is created on mod_python side, from the source
> code (mod_python/Session.py, mod_python/Cookie.py), I don't see how 
> mod_python sets the domain name for the Set-Cookie http header.
> 
> Without the domain name, the cookie set in the browser is useless (at least
> in IE). 

In what way is it useless? The session code has been the way it has for
quite a while and no one has complained previously.

> How does it work?  Am I missed anything?
> 
> Any help or input is appreciated.

I am not a cookie expert, but reading the cookie FAQ, it says:

  If Domain is not set explicitly, then it defaults to the full domain of the
  document creating the cookie.

I take this to mean though that if a domain isn't set it would be up to the
browser to ensure that it only uses the cookie against the original site
that issued it. Thus, that mod_python doesn't set it should not be an
issue.

It could be said though that the current session implementation is a
bit limiting though in that it precludes cross site session cookies within
an enclosing domain. The code could perhaps be enhanced to allow an
option to be set to force the inclusion of a "domain" attribute in the
cookie for the session much like it currently allows with the "path"
attribute. The option for the latter is "ApplicationPath". As noted in:

  https://issues.apache.org/jira/browse/MODPYTHON-127

there is an intent to properly namespace these mod_python options
so maybe there should be an option:

  mod_python.Session.application_domain

with Session code implementin:

        if config.has_key("mod_python.Session.application_domain"):
            c.domain = config["mod_python.Session.application_domain"]

Setting the domain though would only be required if you want cross
site session cookies within an enclosing domain, it would not be required
for a single site.

If you are having some problem with even a single site, maybe it is
that the site issues too many cookies and the browser is throwing away
the least used ones:

  Both Internet Explorer and Netscape conform to the RFC 2109 limitations
  on your total cookie count to 300 (this includes a limit of 20 cookies per
  individual domain). If you exceed this, the browser will discard your
  least-used cookies to make room for the new ones.

In other words, maybe the site code is broken in some way and
generating spurious cookies on every request.

FYI, the cookie FAQ can be found at:

  http://www.cookiecentral.com/faq/

Graham




More information about the Mod_python mailing list