Webware for Python

Hi Steve,

thanks for the detailed write-up; I see the problem. The current session 
handling is really not ideal when you're using AJAX (which is no wonder 
since Webware has been designed before anybody even thought about that).

IMHO the most simple solution would be to keep a "dirty flag" (set 
whenever __setitem__ or __delitem__ is called for the session) and then 
save the session only when the dirty flag has been set. This will also 
be good for performance. We could also add an AppConfig setting for 
manual saving (False by default to maintain backward compatibility). In 
this case, the dirty flag would not be set automatically, but by calling 
a save() method on the session.

But I'm already seeing a problem with that approach: Since the 
lastAccessTime is stored along with the session, it will not get updated 
if the session is not saved, so the session will expire too early if the 
user does not do anything that alters the session.

We could also keep a "dirty set" instead of a dirty flag. This set would 
contain all keys of the session for which the value has been changed or 
deleted. When the session store saves the session, it would then merge 
the current session values with the dirty set. This would require an 
additional session read operation, though. And it would be a pretty 
substantial change to the current session store(s). I'd rather avoid 
such drastic changes at least for the upcoming 1.1 version.

-- Christoph

On Thu, Mar 3, 2011 at 9:28 AM, Christoph Zwerschke <cito@...> wrote:

> IMHO the most simple solution would be to keep a "dirty flag" (set
> whenever __setitem__ or __delitem__ is called for the session) and then
> save the session only when the dirty flag has been set. This will also
> be good for performance. We could also add an AppConfig setting for
> manual saving (False by default to maintain backward compatibility). In
> this case, the dirty flag would not be set automatically, but by calling
> a save() method on the session.
>
> But I'm already seeing a problem with that approach: Since the
> lastAccessTime is stored along with the session, it will not get updated
> if the session is not saved, so the session will expire too early if the
> user does not do anything that alters the session.
>

I kind of don't care if the lastAccessTime isn't updated in this session
saving "mode". We use very long session expiry times so if a "read only"
user had to relogin a little more frequently I don't think it would be an
issue that anyone would notice. Also for our system at some point they will
perform an action that modifies the session.

Since this is a new feature which Webware users would have to turn on I'd
recommend we do "the simplest thing that works" and provide a new config
setting for Sessions that takes multiple values:
"EveryRequest" - default and current functionality
"WhenChanged" - only saves when add/delete has been called

Best Regards,
Steve

Btw, which kind of session store are you using? The default DynamicStore 
is based on the MemoryStore, and here requests share the same session 
object. So the scenario you described should actually not cause a 
problem for this kind of session store.

-- Christoph

On Thu, Mar 3, 2011 at 2:23 PM, Christoph Zwerschke <cito@...> wrote:

> Btw, which kind of session store are you using? The default DynamicStore
> is based on the MemoryStore, and here requests share the same session
> object. So the scenario you described should actually not cause a
> problem for this kind of session store.
>

We use multiple appservers without session affinity so we use
MemcacheSession to share sessions across appservers
Best Regards,
Steve

Am 03.03.2011 21:38 schrieb Steve Schwarz:
> We use multiple appservers without session affinity so we use
> MemcacheSession to share sessions across appservers

Ok, that explains why you've run into that issue. The session objects 
are not shared between threads in this case.

So the simplest solution would be to keep a "dirty flag" and store the 
session only if that flag changed or when a save() method is called. I 
guess save() could actually be added as a synonym for storeSession() and 
in this method, the "dirty flag" should be reset of course.

Not sure if we should make it the standard mode for the FileStore and 
the MemcacheStore, because it's not 100% backward compatible, 
particularly because the lastAccessTime will not be updated.

Of course we could always update the lastAccessTime in case the session 
is not dirty, but this would require an additional read operation and 
decrease performance.

-- Christoph

Hi Steve,

I have now implemented this option in the trunk,
http://svn.w4py.org/Webware/trunk in r8156.

You need to set AlwaysSaveSessions = False in
Application.config to activate it.

Let me know how it works as I want to release 1.1rc1 and then 1.1 as 
soon as possible.

-- Christoph