My feelings are 2-fold:
1. I don't think session management is strictly part of mod_python as an
apache handler, but rather as a utility module that can be used in
conjunction with it. In that sense, I don't think it needs its own directive.
2. I'd rather see more time spent on outstanding release issues :)
Nick
Jim Gallacher wrote:
Nicolas Lehuen wrote:
Is there a way to forbid PythonSessionOption from appearing in a
.htaccess file ? If not, then there is no advantage (security-wise) in
having a different configuration directive.
I know we've decided on using PythonOption session_* instead, but
looking at http://www.apachetutor.org/dev/config under the "Scope of
Configuration" it looks like it may not be that hard to restrict the use
of PythonSessionOption in a .htaccess file.
Is it worth persuing? Now is the time to do it. If we change it later it
means everyone will need to refactor their config files and any
subclasses of BaseSession.
Regards,
Jim
