quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Gallacher <jg.li...@sympatico.ca>
Subject Re: PythonSessionOption - a new apache directive for session configuration
Date Wed, 15 Jun 2005 19:57:16 GMT
Hi Nick,

I must be really dense today, because I need yet more clarification.

Nick wrote:
> Jim Gallacher wrote:
>> Nick wrote:
>>> How about an explicit "None" value to completely disable it?  If you 
>>> don't want users on your site using it.
>> Do you mean to disable sessions, or just the session configuration?
> Yes, I'm sorry, I mean disable the session mechanism altogether.   Some
> admins may see it as a potential security issue.  Although I'm sure 
> you're doing the best you can to make sure it can't be exploited as 
> such, if you make it so people can evenutally plug in their own session 
> mechanisms, there might be room for abuse.
> Nick

Just so I'm *really* clear, do you mean the current scheme for session 
handling would also be disabled? For example users would need to catch 
an exception if the admin has disabled sessions:

def handler(req):
         sess = Session.Session(req)
     except SecurityException:
         req.log_error('sessions are disabled')

Or do you mean that using a config option like:
     PythonSessionOption session mymodule.MySessionThing

would not be allowed if mymodule.MySessionThing was not in a list of 
approved session classes?

I really don't see how sessions could be completely disabled, since all 
you are really doing is setting a cookie and reading/writing some data 
to a file.


View raw message