I've just discovered a teensy little flaw in Quixote's session
management code: if the SESSION_COOKIE_PATH config variable is not set,
then Quixote sets the cookie without a "Path" parameter, e.g.:

  Set-Cookie: QX_session="..."

which means the browser is only supposed to send that session cookie to
URLs that are "under" the URL that sent the cookie in the first place.
So if the first request in a session is deep in an application's
URL-space, then the session cookie will not be sent for requests that
are higher up.

Eg. if my application is at "/bugs/", and the first request is for
"/bugs/0123/", then my browser will send the session cookie to
"/bugs/0123/edit", but not to "/bugs/0124/" or to the application root,
"/bugs/".

The fix is pretty obvious: make the default session cookie path the URL
of the application root, which is conveniently available in
SCRIPT_NAME.  Patch attached.  With this patch, the above Set-Cookie
header would be

  Set-Cookie: QX_session="..."; Path="/bugs/"

This has subtle security implications, since it could widen the scope of
session cookies.  If anyone is really relying on this bug, they deserve
what's coming.  ;-)  (And they should set SESSION_COOKIE_PATH, but doing
that will not reproduce the current behaviour.  I very much that the
current behaviour is desirable for anyone; it certainly wasn't
intentional when I wrote the code!)

        Greg
--
Greg Ward                          http://www.gerg.ca/
Sure, I'm paranoid... but am I paranoid ENOUGH?