Opened 17 years ago

Closed 17 years ago

#4724 closed (fixed)

Add SESSION_COOKIE_PATH setting.

Reported by: Graham.Dumpleton@… Owned by: frej
Component: HTTP handling Version: dev
Severity: Keywords: sprintsept14
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When using a pure Python web server executed from command line Python it is only possible to run one Django instance. This is because of how configuration settings module derived from os.environ value. If however using mod_python, more than one Django instance can be run by using the PythonInterpreter directive of mod_python to force them to be run in different Python sub interpreters.

If these two Django instances are running in distinct virtual hosts then all will be fine. If however the two Django instances are running at different URL mount points within the same virtual host, problems will be encountered where each instance is making use of authenticated sessions, eg. admin interface, and they have different user/session databases.

The problem here is that each Django instance will attempt to use the same cookie name for tracking the session, thus the first Django instance to set it will win. When one now browses to the other Django instance it will think the session id is invalid and force the user to log in again.

The only way around this problem is to set the SESSION_COOKIE_NAME to be different for both Django instances.

Rather than change the name of the session cookie, the feature of cookies that allows them to be restricted to a specific URL within a site should probably be supported and that used instead as that is a more standard way of solving this problem. It would also reduce the amount of cookie information having to be sent with a request as only the cookie value for the Django instance being browsed would be sent, instead of all cookies for all Django instances within that virtual host.

Thus, a new SESSION_COOKIE_PATH setting should possibly be supported. This would default if not defined to use '/' as the path so it applies to the whole virtual host, but could be overridden to restrict it to the context of a specific Django instance.

Attachments (2)

session_cookie_path.2.patch (2.1 KB ) - added by frej 17 years ago.
Oops - fix the doc part of the patch
session_cookie_path.patch (1.9 KB ) - added by frej 17 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 by Malcolm Tredinnick, 17 years ago

Component: UncategorizedHTTP handling
Owner: changed from Jacob to Malcolm Tredinnick
Triage Stage: UnreviewedAccepted

comment:2 by frej, 17 years ago

Has patch: set
Owner: changed from nobody to anonymous

Simple patch attached.
Seems pretty simple.. But there might be more to it?

by frej, 17 years ago

Attachment: session_cookie_path.2.patch added

Oops - fix the doc part of the patch

comment:3 by Fredrik Lundh <fredrik@…>, 17 years ago

Looks good to me (but that's me). A couple of trivial typos in the comments and the documentation needs to be fixed before this is committed, though.

by frej, 17 years ago

Attachment: session_cookie_path.patch added

comment:4 by frej, 17 years ago

Updates patch with better comments/docs.
Ignore '2.patch'

comment:5 by frej, 17 years ago

Keywords: sprintsept14 added

comment:6 by frej, 17 years ago

Owner: changed from anonymous to frej

comment:7 by Malcolm Tredinnick, 17 years ago

Resolution: fixed
Status: newclosed

(In [6545]) Fixed #4724 -- Added support for configurable session cookie paths. Helps with
multiple Django installs under the same hostname. Thanks, frej and Graham
Dumpleton.

Note: See TracTickets for help on using tickets.
Back to Top