On Oct 29, 2005, at 4:14 PM, Michael Watkins wrote:

> What about the first test in fill_response?
>
> 189         if (session and
> 190             (get_request().get_scheme() != 'https' or
> 191              not session.is_valid())):
> 192             del self.get_sessions()[cookie]
> 193             session = None
>
> Seems as if you expected there to always be secure communication
> present for
> sessions; without a more substantial change to allow for insecure
> sessions,
> the sessions mapping is going to be updated every hit as is, no?

Right.  Shall we change that condition to (session and not
session.is_valid())?
I guess the is_valid() can enforce an https scheme if that is desired.