Opened 11 years ago
Last modified 10 years ago
#668 closed enhancement
Replace beaker sessions with itsdangerous based sessions — at Initial Version
| Reported by: | Elrond | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | programming | Keywords: | sprint |
| Cc: | Christopher Allan Webber | Parent Tickets: |
Description
We want to switch from beaker sessions to itsdangerous based sessions.
Why? We should come up with a better list of reaasons than "The core developers like this idea".
What's needed?
- Remove beaker sessions from paste*.ini
- Create a class that will be our new
request.session - Create code to create such an instance from a received cookie.
- Create code to send a (modified) session as a cookie to the client.
Some more Details
Create a class that will be our new request.session
Some pseudo code:
class MGSession(dict):
def save(self):
self.send_new_cookie = True
def delete(self):
self.clear()
self.save()
@classmethod
def from_cookie_string(cls, cookie):
if not cookie:
return cls()
...
Create Session Instance from cookie
Here's some pseudo code to do that. It includes code for future "revocation support". Because we do not store anything locally any more, one can only forcibly block sessions by blacklisting. In the first step, its okay to document the needed approach in the code.
def load_session_from_cookie(request, cookie_name):
cookie = request.get_cookie(cookie_name)
m = BadCookie.query.filter_by(cookie = cookie)
if m:
_log.warn("Bad cookie received: %s", m.reason)
raise BadRequest()
requestion.session = MGSession.from_cookie_string(cookie)
Send cookie
- Only send a cookie, if an update is needed
- If the session is empty delete the cookie on the client (
MGSession.delete()was called probably) - Bonus points: Consider sending a new cookie, if the old one is going to expire soon
Note:
See TracTickets
for help on using tickets.
