Opened 17 years ago
Closed 17 years ago
#4724 closed (fixed)
Add SESSION_COOKIE_PATH setting.
Reported by: | Owned by: | frej | |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Keywords: | sprintsept14 | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When using a pure Python web server executed from command line Python it is only possible to run one Django instance. This is because of how configuration settings module derived from os.environ value. If however using mod_python, more than one Django instance can be run by using the PythonInterpreter directive of mod_python to force them to be run in different Python sub interpreters.
If these two Django instances are running in distinct virtual hosts then all will be fine. If however the two Django instances are running at different URL mount points within the same virtual host, problems will be encountered where each instance is making use of authenticated sessions, eg. admin interface, and they have different user/session databases.
The problem here is that each Django instance will attempt to use the same cookie name for tracking the session, thus the first Django instance to set it will win. When one now browses to the other Django instance it will think the session id is invalid and force the user to log in again.
The only way around this problem is to set the SESSION_COOKIE_NAME to be different for both Django instances.
Rather than change the name of the session cookie, the feature of cookies that allows them to be restricted to a specific URL within a site should probably be supported and that used instead as that is a more standard way of solving this problem. It would also reduce the amount of cookie information having to be sent with a request as only the cookie value for the Django instance being browsed would be sent, instead of all cookies for all Django instances within that virtual host.
Thus, a new SESSION_COOKIE_PATH setting should possibly be supported. This would default if not defined to use '/' as the path so it applies to the whole virtual host, but could be overridden to restrict it to the context of a specific Django instance.
Attachments (2)
Change History (9)
comment:1 by , 17 years ago
Component: | Uncategorized → HTTP handling |
---|---|
Owner: | changed from | to
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 17 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
by , 17 years ago
Attachment: | session_cookie_path.2.patch added |
---|
Oops - fix the doc part of the patch
comment:3 by , 17 years ago
Looks good to me (but that's me). A couple of trivial typos in the comments and the documentation needs to be fixed before this is committed, though.
by , 17 years ago
Attachment: | session_cookie_path.patch added |
---|
comment:5 by , 17 years ago
Keywords: | sprintsept14 added |
---|
comment:6 by , 17 years ago
Owner: | changed from | to
---|
comment:7 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Simple patch attached.
Seems pretty simple.. But there might be more to it?