On Tue, Feb 01, 2005 at 12:29:08AM +0000, Jonathan Lange wrote:

Hello,

We recently had some problems with the ISession hanging around even after a new login. Also IE has had some weird behaviour: when you login in with one set of credentials, hit back, then log in again (with incorrect credentials), you are still logged in with your original (correct) credentials.

To work around this, we've monkey-patched guard to logout and expire the session on login.

Below is a patch that adds this change to nevow SVN.

Known problems: - line 295 calls portal.login straight-up, and so this patch doesn't help with certain http auth cases. - I may be doing weird evil wrong stuff with context, mostly because I don't understand it.

cheers, jml

Index: nevow/guard.py =================================================================== --- nevow/guard.py (revision 1123) +++ nevow/guard.py (working copy) @@ -362,6 +362,11 @@ return UsernamePassword(username, password)

def login(self, request, session, credentials, segments, anonymous=False): + session.portalLogout(self.portal) + from twisted.python import context + ctxSession = inevow.ISession(context, None) + if ctxSession: + ctxSession.expire() mind = self.mindFactory(request, credentials) session.mind = mind return self.portal.login(credentials, mind, self.credInterface).addCallback(

With my usage I had apparently no problem regardless of the above, but I can imagine some other app may have a problem. My only problem was the logout, that didn't drop the privilegied stuff from the session. But a re-login without a logout in between would overwrite everything privilegied so I cannot notice any difference. Though the problem is very similar to the one I had on the logout side and you also did a session expiry in nevow like I did originally. I believe the login can refresh the session with the avatar code like I'm doing for solving the logout problem too. I can see the second below unsetComponent not raising the exception during a re-login without a logout in between, which means it's making a difference (even if it makes no difference for my site) and it should allow you to fixup your code optimally without regenerating the cookie. If you copy my below code and you adapt it to your app, you should be able to cleanup your session during both the logout and the re-login procedures. Probably there should be a dumb-mode that expires the sessions both during login and logout. I don't mind anymore myself since I just learnt how to solve it, but the below stuff may not be worth it for simple sites. For how to setup the Mind see the logout_guard2 example. I guess the logout_guard2 example should be updated too with the session cleanup during login. def requestAvatar(self, avatar_id, mind, *interfaces): #print avatar_id, mind, interfaces for interface in interfaces: if interface is inevow.IResource: def logout(session): def _logout(): # account try: session.unsetComponent(iweb.IAccount) except KeyError: pass # force a full session expiry #del session.guard.sessions[session.uid] return _logout if avatar_id is checkers.ANONYMOUS or avatar_id.shutdown: resc = guest.root_page_class() resc.realm = self return (inevow.IResource, resc, lambda : None) else: resc = account.root_page_class(avatar_id) resc.remember(avatar_id, iweb.IAccount) resc.realm = self session = mind.request.getSession() try: session.unsetComponent(iweb.IAccount) except KeyError: pass return (inevow.IResource, resc, logout(session)) raise NotImplementedError("Can't support that interface.")