Opened 9 years ago

Closed 7 years ago

#668 closed enhancement (fixed)

Replace beaker sessions with itsdangerous based sessions

Reported by: Elrond Owned by:
Priority: major Milestone:
Component: programming Keywords: sprint
Cc: Christopher Allan Webber Parent Tickets:

Description (last modified by Elrond)

We want to switch from beaker sessions to itsdangerous based sessions.
Why? We should come up with a better list of reaasons than "The core developers like this idea".

What's needed?

  1. Remove beaker sessions from paste*.ini
  2. Create a class that will be our new request.session
  3. Create code to create such an instance from a received cookie.
  4. Create code to send a (modified) session as a cookie to the client.

Some more Details

Create a class that will be our new request.session

Some pseudo code:

class MGSession(dict):

    def save(self):
        self.send_new_cookie = True

    def delete(self):
        self.clear()
        self.save()

Create Session Instance from cookie

Here's some pseudo code to do that. It includes code for future "revocation support". Because we do not store anything locally any more, one can only forcibly block sessions by blacklisting. In the first step, its okay to document the needed approach in the code.

class SessionManager(object):
    def load_session_from_cookie(request, cookie_name):
        cookie = request.get_cookie(cookie_name)
        if not cookie:
            request.session = MGSession()
            return
        m = BadCookie.query.filter_by(cookie = cookie)
        if m:
            _log.warn("Bad cookie received: %s", m.reason)
            raise BadRequest()
        parsed_dict = self.signer.loads(cookie, max_age=...)
        requestion.session = MGSession(parsed_dict)

Send cookie

  • Only send a cookie, if an update is needed
  • If the session is empty delete the cookie on the client (MGSession.delete() was called probably)
  • Bonus points: Consider sending a new cookie, if the old one is going to expire soon

Subtickets

Change History (9)

comment:1 Changed 9 years ago by Elrond

Type: defectenhancement

From #580:
This might be helpful too: http://flask.pocoo.org/snippets/51/

comment:2 Changed 9 years ago by Elrond

Description: modified (diff)

some small changes to example pseudo code, mostly suggesting a SessionManager class.

comment:3 Changed 9 years ago by Elrond

Owner: set to Brett Smith
Status: newassigned

Small update: bcs / brett is working on this. I'm mostly waiting for a ping to merge his branch.

comment:4 Changed 9 years ago by Christopher Allan Webber

Brett, any updates on this? It sounds like it's close, and I'd really love to see it land!

comment:5 Changed 9 years ago by Elrond

Owner: Brett Smith deleted
Status: assignedreview

This has been merged!

I am claiming the ticket to clean up the last bits.

comment:6 Changed 9 years ago by Elrond

Owner: set to Elrond
Status: reviewin_progress

comment:7 Changed 8 years ago by Christopher Allan Webber

Hey Elrond,

Is there anything that's still being cleaned up or can we close this?

comment:8 Changed 7 years ago by Elrond

Really, I have no idea.

It's probably done, I'm guessing.

If there's something wrong, we'll file a new bug.

comment:9 Changed 7 years ago by Christopher Allan Webber

Owner: Elrond deleted
Resolution: fixed
Status: in_progressclosed

This landed a long time ago. I think Elrond at one point wanted to do cleanup, but whatever was wanted either has been done or the memory of what that cleanup was has been lost to the sands of time. Regardless, things seem to be working fine now. Closed!

Note: See TracTickets for help on using tickets.