Author: loic
Date: Tue Aug 11 12:36:27 2009
New Revision: 6142
URL: http://svn.gna.org/viewcvs/pokersource?rev=6142&view=rev
Log:
Remove cookies from pokersite.py and replace them with uid and auth request
arguments. Removing the cookies enables integration with opensocial containers.
In an opensocial container all applications run under the same domain and the
container hides cookies from them to isolate each application. Relying on
cookies prevents the application to run properly. The cookie is replaced with
two arguments because it is used for two different purposes : authentication
and sessions. The uid argument is a session hash that is used to store outgoing
packets for a given client between two polls. A session is associated with a
single avatar at all times. The auth argument is an authentication hash that is
associated with the serial of a logged in user after a successfull
authentication.
Here are a few use cases in the context of the jpoker JavaScript client:
1) jpoker is loaded and creates a uid hash and a auth hash that it sends with
each REST request. When the user joins a table, the session persists and the
avatar stores outgoing packets. When the user logs in, the auth hash is
associated with the serial in memcache.
2) jpoker is loaded on two tabs in the same browser, the auth hash is set in a
cookie by the first tab and re-used by the second tab. Each tab creates its own
uid session has and has therefore a private session. Authentication is shared
but sessions are separated for each tab. When a tab is unloaded the session is
expired. When the tab reloads it acts as if it was a new tab.
3) jpoker is loaded on a tab, using a href link an application such as pok.me
is launched. When the application is launched the href link carries the auth
hash that allows the application to run with the same user. The application is
responsible for creating a uid session hash in order to get its own session.
Release notes
1) no backward compatibility.
Previous behaviour:
There can be only one authenticated session at any given time.
The session is identified by a HASH stored in a cookie.
The cookie name is TWISTED_SESSION or TWISTED_SESSION_<NAME> if the
QUERY_STRING argument name=<NAME> is present
If the QUERY_STRING argument count=<X> is present, any further incoming
requests with a QUERY_STRING arguement count=<Y> where Y < X is refused and
the corresponding session HASH is blacklisted.
Current behaviour:
There is no limitation on the number of simultaneous autenticated sessions.
The session is a hash stored in the uid argument of the QUERY_STRING
The authentication is a hash stored in the auth argument of the QUERY_STRING
There is no cookie
It is recommended that the JavaScript client keeps track of the
authentication
hash in a cookie so that multiple tabs can share authentication.
2) The getSession method of the Request class no longer relies on the base
class implementation because it only uses QUERY_STRING arguments instead.
3) The getSession method of the Site class changed prototype and now has
uid & auth instead of just uid.
4) The expireSessionCookie function has been removed entirely. The expiration of
a cookie is now entirely controled by the client because the server no longer
creates and send a cookie.
5) The memcache entries were previously set to associate the session id with the
user serial (or zero if anonymous). The session id (uid) is no longer used
for
this purpose. The auth argument is used as a memcache key that is associated
with the serial of an authenticated user.
6) The Session instance has a new auth member that stores the value of the auth
hash, which is later used for session expiration or when the updateSession
method of a Site is called. If the serial has changed, the auth member is
used to update the memcache accordingly.
7) In the tests, the
r.args = { 'name': [ 'name' ] }
r.getSession()...
r.requestReceived('GET', '/', '')
sequence worked, although it should have been
r.args = { 'name': [ 'name' ] }
r.getSession()...
r.requestReceived('GET', '/?name=name', '')
This was probably a positive side effect of the usage of the cookies. In the
new
implementation, the r.requestReceived('GET', '/?uid=uid&auth=auth', '') was
used everywhere because it failed without it.
8) The avatar / image tests used multiple operations to authenticate a user,
based
on the previous conventions. It has been replaced, where relevant, with the
following sequence:
r.args = { 'uid': [ 'uid' ], 'auth': ['auth'] }
r.site.memcache.set('auth', '111')
9) The Transport mockup used by PokerAvatarResourceTestCase was the one from
PokerImageUploadTestCase instead. This was fixed.
10) The unicode key test was extended to the auth argument, for sanity.
def getSession(self, uid, auth):
if not isinstance(uid, str):
etc...
11) In test-proxyfilter.py.in all
headers = { 'Cookie': 'TWISTED_SESSION_name=session' }
and
self.proxy_site.memcache.set(str(serial), 'session')
were removed and
/POKER_REST?name=name
was changed to
/POKER_REST?uid=uid&auth=auth
but the logic of the tests was otherwise unchanged.
A bug was fixed in the test-pokersite.py.in suite :
pokermemcache.memcache_*.clear() are called to reset the test singleton in
between tests. A test previously failed because of a side effect that revealed
this bug.
Modified:
branches/multi-session/pokernetwork/pokersite.py
branches/multi-session/tests/test-pokersite.py.in
branches/multi-session/tests/test-proxyfilter.py.in
_______________________________________________
Pokersource-commits mailing list
[email protected]
https://mail.gna.org/listinfo/pokersource-commits
