[Greg Ward]
> OK, I've just added the following text to doc/session-mgmt.txt; please
> tell me if this explains things enough:

Wonderful. I've got but a few minor suggestions. I'll snip most of your doc
and leave just enough context so that my suggestions make sense.

> However, think carefully about what you set COOKIE_PATH to -- eg. if you
> set it to "/", but all of your Quixote code is under "/q/" in your
> server's URL-space, then your user's session cookies could be
> unnecessarily exposed.  On shared servers where you don't control all of
> the code, this is especially dangerous.

This is excellent. I was hoping you would address this. Could you also give
an example to round out this case? Should the path be:

  COOKIE_PATH = "/q"

or

  COOKIE_PATH = "/q/"

or does it not matter? (I suspect the latter is correct.)

> See RFCs 2109 and 2965 for more information on the rules browsers are
> supposed to follow for including cookies with HTTP requests.

A couple of URLs to these RFCs would be icing on the cake.

My final question/suggestion is to document how the settings in the config
interact with the parameters specified in the specific call to set_cookie().
Specifically the fact that having the values in the config file doesn't mean
they get used outside of the session functions. If you want to set a cookie
yourself you need to do something like:

        request.response.set_cookie('style', component,
                                    domain=config.cookie_domain,
                                    path=config.cookie_path)

Or maybe this isn't appropriate since, as your other email pointed out to
me, using the session stuff is better than setting individual cookies. So
maybe you could just show how the set_cookie() call looks in the session
routines and suggest that this is how cookies should be set if you wanted to
do it yourself, even though using the session stuff is recommended.

Thank you. This is shaping up quite nicely.

---
Patrick K. O'Brien
Orbtech