durusmail: quixote-users: Patch: smarter default session cookie path [PATCH]
Patch: smarter default session cookie path
2003-12-27
2003-12-27
Patch: smarter default session cookie path [PATCH]
2004-01-29
Jason E. Sibre (3 parts)
2004-01-05
Patch: smarter default session cookie path [PATCH]
Jason E. Sibre
2004-01-29
> -----Original Message-----
> From: quixote-users-bounces+jsibre=chironsys.com@mems-exchange.org
> [mailto:quixote-users-bounces+jsibre=chironsys.com@mems-exchange.org]On
> Behalf Of Greg Ward
> Sent: Friday, December 26, 2003 7:38 PM
> To: quixote-users@mems-exchange.org
> Subject: [Quixote-users] Patch: smarter default session cookie path

        [Greg explains the problem, and supplies a patch to solve it]

Thanks for putting this out here, Greg.  During my session tribulations the
last two days, I was actually bitten by the problem you described at one
point, and remembering your post and applying the patch saved me
who-knows-how-much-grief.

Then I got other bugs...  I'm sure you got a chuckle about them :)

Anyway, things are going pretty well now, and in testing against Moz 1.5,
IE6, and NN4.7, I found some problems with logging out in the latter.  After
modifying my copy of medusa_http.py to provide a trace of headers in and
headers out, I narrowed the problem down to:

[after successful login]
OUTGOING:  Set-Cookie = QX_session="1445a1dd640e66fe"; path=/

and

[after successful logout]
OUTGOING:  Set-Cookie = QX_session=""; max-age=0


In IE and Moz, the missing 'path=/' is not an issue, but it causes NN4.7 to
treat it as a different cookie:

[next request, immediatly after logout, request coming from NN4.7]
INCOMING:  HTTP_COOKIE = QX_session="750697b293ab2a5b"; QX_session=""

So, even though NN4.7 is old, and should probably be buried, I submit the
following patches to help quixote play better with it (and bring the
revoke_session_cookie code in line with your modifications to the
set_session_cookie code):

One is a patch against a session.py that has already been patched with your
patch (session.py.cookie-path-revoke.patch), and the other is a patch
against a 'stock' 0.7a3 session.py file
(session.py.cookie-path-set-revoke.patch)


Jason
reply