|
Graham Dumpleton
grahamd at dscpl.com.au
Mon Mar 20 17:37:37 EST 2006
Kevin Wang wrote .. > Hi All, > > When a new session/cookie is created on mod_python side, from the source > code (mod_python/Session.py, mod_python/Cookie.py), I don't see how > mod_python sets the domain name for the Set-Cookie http header. > > Without the domain name, the cookie set in the browser is useless (at least > in IE). In what way is it useless? The session code has been the way it has for quite a while and no one has complained previously. > How does it work? Am I missed anything? > > Any help or input is appreciated. I am not a cookie expert, but reading the cookie FAQ, it says: If Domain is not set explicitly, then it defaults to the full domain of the document creating the cookie. I take this to mean though that if a domain isn't set it would be up to the browser to ensure that it only uses the cookie against the original site that issued it. Thus, that mod_python doesn't set it should not be an issue. It could be said though that the current session implementation is a bit limiting though in that it precludes cross site session cookies within an enclosing domain. The code could perhaps be enhanced to allow an option to be set to force the inclusion of a "domain" attribute in the cookie for the session much like it currently allows with the "path" attribute. The option for the latter is "ApplicationPath". As noted in: https://issues.apache.org/jira/browse/MODPYTHON-127 there is an intent to properly namespace these mod_python options so maybe there should be an option: mod_python.Session.application_domain with Session code implementin: if config.has_key("mod_python.Session.application_domain"): c.domain = config["mod_python.Session.application_domain"] Setting the domain though would only be required if you want cross site session cookies within an enclosing domain, it would not be required for a single site. If you are having some problem with even a single site, maybe it is that the site issues too many cookies and the browser is throwing away the least used ones: Both Internet Explorer and Netscape conform to the RFC 2109 limitations on your total cookie count to 300 (this includes a limit of 20 cookies per individual domain). If you exceed this, the browser will discard your least-used cookies to make room for the new ones. In other words, maybe the site code is broken in some way and generating spurious cookies on every request. FYI, the cookie FAQ can be found at: http://www.cookiecentral.com/faq/ Graham
|