Opened 8 years ago

Closed 8 years ago

#4724 closed (fixed)

Add SESSION_COOKIE_PATH setting.

Reported by: Graham.Dumpleton@… Owned by: frej
Component: HTTP handling Version: master
Severity: Keywords: sprintsept14
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

When using a pure Python web server executed from command line Python it is only possible to run one Django instance. This is because of how configuration settings module derived from os.environ value. If however using mod_python, more than one Django instance can be run by using the PythonInterpreter directive of mod_python to force them to be run in different Python sub interpreters.

If these two Django instances are running in distinct virtual hosts then all will be fine. If however the two Django instances are running at different URL mount points within the same virtual host, problems will be encountered where each instance is making use of authenticated sessions, eg. admin interface, and they have different user/session databases.

The problem here is that each Django instance will attempt to use the same cookie name for tracking the session, thus the first Django instance to set it will win. When one now browses to the other Django instance it will think the session id is invalid and force the user to log in again.

The only way around this problem is to set the SESSION_COOKIE_NAME to be different for both Django instances.

Rather than change the name of the session cookie, the feature of cookies that allows them to be restricted to a specific URL within a site should probably be supported and that used instead as that is a more standard way of solving this problem. It would also reduce the amount of cookie information having to be sent with a request as only the cookie value for the Django instance being browsed would be sent, instead of all cookies for all Django instances within that virtual host.

Thus, a new SESSION_COOKIE_PATH setting should possibly be supported. This would default if not defined to use '/' as the path so it applies to the whole virtual host, but could be overridden to restrict it to the context of a specific Django instance.

Attachments (2)

session_cookie_path.2.patch (2.1 KB) - added by frej 8 years ago.
Oops - fix the doc part of the patch
session_cookie_path.patch (1.9 KB) - added by frej 8 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 8 years ago by mtredinnick

  • Component changed from Uncategorized to HTTP handling
  • Needs documentation unset
  • Needs tests unset
  • Owner changed from jacob to mtredinnick
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 8 years ago by frej

  • Has patch set
  • Owner changed from nobody to anonymous

Simple patch attached.
Seems pretty simple.. But there might be more to it?

Changed 8 years ago by frej

Oops - fix the doc part of the patch

comment:3 Changed 8 years ago by Fredrik Lundh <fredrik@…>

Looks good to me (but that's me). A couple of trivial typos in the comments and the documentation needs to be fixed before this is committed, though.

Changed 8 years ago by frej

comment:4 Changed 8 years ago by frej

Updates patch with better comments/docs.
Ignore '2.patch'

comment:5 Changed 8 years ago by frej

  • Keywords sprintsept14 added

comment:6 Changed 8 years ago by frej

  • Owner changed from anonymous to frej

comment:7 Changed 8 years ago by mtredinnick

  • Resolution set to fixed
  • Status changed from new to closed

(In [6545]) Fixed #4724 -- Added support for configurable session cookie paths. Helps with
multiple Django installs under the same hostname. Thanks, frej and Graham
Dumpleton.

Note: See TracTickets for help on using tickets.
Back to Top