Webware for Python

Nick Murtagh schrieb:
> Hi,
> 
> I have two webware apps running on the same domain, one on /default/ and
> the other on /admin/. To avoid the session cookies from colliding, I
> made a small change in HTTPResponse.py:recordSession. The line
> 
> cookie.setPath('/')
> 
> is replaced by
> 
> cookie.setPath(self._transaction.application().setting('SessionCookiePath', 
> '/'))

Nick, can you check whether the following solves the problem, too?

cookie.setPath(self._transaction.request().adapterName())

That way you will not need to configure anything (we can still make it 
configurable).

-- Chris

Hi Nick,

you recently posted the following on the Webware mailing list:

> I have two webware apps running on the same domain, one on /default/ and
> the other on /admin/. To avoid the session cookies from colliding, I
> made a small change in HTTPResponse.py:recordSession. The line
> cookie.setPath('/')
> is replaced by
> cookie.setPath(self._transaction.application().setting('SessionCookiePath', 
> '/'))
> Now I can put
> SessionCookiePath = '/default/'
> in Application.config for the first app and
> SessionCookiePath = '/admin/'
> in Application.conf for the second and hey presto the sessions are
> independent :)

Since I want to make a new Webware release soon, I'd like to have that 
fixed there. My idea is to replace the above line by the following:

cookie.setPath(self._transaction.request().adapterName())

This has the advantage that you don't need to configure anything. Can 
you give me feedback whether this would solve the problem for you?

Greetings
-- Chris

> Since I want to make a new Webware release soon, I'd like to have that
> fixed there. My idea is to replace the above line by the following:
>
> cookie.setPath(self._transaction.request().adapterName())
>
> This has the advantage that you don't need to configure anything. Can
> you give me feedback whether this would solve the problem for you?

Hi Chris,

It turned out that my original idea didn't quite work in practice,
and then I found that webware already includes the feature I needed.

In

http://svn.w4py.org/Webware/trunk/WebKit/Application.py

Application.__init__ uses a setting called SessionName
to control the name of the session for each application.
Setting SessionName differently for my two applications
solved the problem.

The only improvement I can think of would be to add a commented
out SessionName directive to the default Application config. I
only found out it existed by reading the code :)

Nick

Thanks for the feedback, Nick.

> It turned out that my original idea didn't quite work in practice,
> and then I found that webware already includes the feature I needed.
> In http://svn.w4py.org/Webware/trunk/WebKit/Application.py
> Application.__init__ uses a setting called SessionName
> to control the name of the session for each application.
> Setting SessionName differently for my two applications
> solved the problem.

Yes, this changes the name of the cookie with the session id.

> The only improvement I can think of would be to add a commented
> out SessionName directive to the default Application config. I
> only found out it existed by reading the code :)

Actually, it's described in the docs as well, but I agree reading the 
code is sometimes easier :-)
http://www.webwareforpython.org/WebKit/Docs/Configuration.html#path-handling

I'll put it in the default config as well.

Anyway, I'm curious why your original approach did not work in practice 
as well. I think setting the cookie path to the adapterName() instead of 
'/' will avoid the necessity of setting different SessionNames and at 
the same time also improve security (see 
http://www.net-security.org/dl/articles/cookie_path.pdf).

Does anything speak against such a patch?

-- Chris