Greetings,
I'm using Twisted+Nevow and everything works great, except if I attempt to use cookie-less sessions (i.e. "block cookies" in Mozilla); the URLs start out fine (/__session_key__ETC) but the session keys changes for every child resource I visit, which seems bad.
I'm using a nevow.guard.SessionWrapper around twisted.cred.portal.Portal which contains a simple implementation of IRealm containing my root resource.
I'm not entirely sure where to look for problems. I would have expected Nevow to re-write href attributes to be something like /__session_key__BAR/foo from /foo, but that's not happening.
Any guidance or suggestions for things I should look into?
Thanks, mike
Mike Warren wrote:
I'm not entirely sure where to look for problems. I would have expected Nevow to re-write href attributes to be something like /__session_key__BAR/foo from /foo, but that's not happening.
Any guidance or suggestions for things I should look into?
Rewriting is way too problematic. This form of session management is only compatible with relative links. Just use relative links instead of absolute ones.
Christopher Armstrong radix@twistedmatrix.com writes:
Mike Warren wrote:
I'm not entirely sure where to look for problems. I would have expected Nevow to re-write href attributes to be something like /__session_key__BAR/foo from /foo, but that's not happening. Any guidance or suggestions for things I should look into?
Rewriting is way too problematic. This form of session management is only compatible with relative links. Just use relative links instead of absolute ones.
Is there a way to turn it off, besides overriding the locateChild method is nevow.guard.SessionWrapper? In my case, re-writing the URLs myself is going to be about the same amount of work as writing relative URLs, so I'd rather do the former or neither (and just make users turn on cookies or not interact).
What exactly are the problems with re-writing? I tried some quick hackery in nevow.flat.flatstan near line 110 to look for an "href" key and then check that the resulting serialized value started with the appropriate magic if it started with '/', but neither the request nor session is "remembered" in the context I get; is this the "way too problematic" bit? (I don't know quite how the remembering/flattening works).
It would be preferable to just have a "please turn on cookies if you want to do ``X''" page; I would like to keep site-customisation sorts of things in the session (rather than, for example, cookies) but the way the session_key code works right now, a user with blocked cookies will be generating a new session for every request they make; I'd rather have just one "anonymous" session which wouldn't be mutable (i.e. it would always be filled with the defaults which would be generated by creating a new session).
To that end, would anyone else find a "default session if no cookies" bit of code useful? (Obviously, one could then determine if the user was a "no-cookies" user by seeing if their session is the same as the "no-cookies" session).
Thanks,
-
Christopher Armstrong -
Mike Warren