durusmail: quixote-users: Interface for session persistence
Interface for session persistence
2002-05-18
Greg Ward
2002-05-18
Greg Ward
2002-05-19
Jonathan Corbet
2002-05-20
Greg Ward
2002-05-20
Greg Ward
2002-05-20
Neil Schemenauer
2002-05-20
Jonathan Corbet
2002-05-20
Greg Ward
2002-05-20
Greg Ward
2002-05-21
Greg Ward
2002-05-24
Gene Christian
2002-05-24
Neil Schemenauer
2002-05-24
Patrick K. O'Brien
2002-05-24
Greg Ward
2002-05-24
Gene Christian
2002-05-18
Titus Brown
2002-05-20
Greg Ward
2002-05-20
Titus Brown
Interface for session persistence
Greg Ward
2002-05-20
On 20 May 2002, I said:
> BTW thank you -- I have been liking the name 'is_empty()' less and less,
> but I couldn't think of what it *should* be called.  'is_dirty()' is the
> obvious answer -- duh!

Crap.  Making this change is philosophically incompatible with the
current implementation of SessionManager.maintain_sessions(), which goes
to considerable lengths to rid itself of sessions that have not had any
useful data put in them:

        if self.sessions.has_key(session.id): # session already saved
            if session.is_empty():            # but no use keeping it around
                del self.sessions[session.id]
                self.revoke_session_cookie(request)

This is all a defence against stupid/malicious clients that ignore both
session cookies and robots.txt.  (We use robots.txt to steer robots away
from areas of our site that require a session, namely the login page and
anything that requires logging in.  If a robot goes to our login page
anyways and gets a session cookie, then it's still OK as long as it
returns that session cookie on future requests.  If it doesn't, though,
then our server is stuck with creating a new session for every request
made by this stupid robot.  If we then save every one of those sessions
to our database, we come in in the morning and find 10,000 empty
sessions in our database when we normally have a few hundred.  Yuck.)

However, I think the logic in maintain_sessions() is flawed: the only
place where we add sessions to the sessions dict is in the other branch
of the "if" statement I just showed:

        else:                # session not in sessions dict (yet)
            if not session.is_empty():
                # must save it in the dictionary of sessions and drop
                # a cookie on the client so that it can be found again
                self.sessions[session.id] = session
                self.set_session_cookie(request, session.id)

IOW, we never put empty sessions in the sessions dict in the first
place.  So the first half of maintain_sessions() is pointless.

Neil, does this sound right to you?  Or am I smoking pot / missing some
vital point / blinded by science / whatever?

If I'm right, then maintain_sessions() can be chopped in half and
is_dirty() can replace is_empty().  I'll play around a bit with that and
see what breaks.

        Greg
--
Greg Ward - software developer                gward@mems-exchange.org
MEMS Exchange                            http://www.mems-exchange.org
reply