Hi everybody! I have a question regarding the usage of Beaker cookie-only signed sessions (version 0.9.4) with Apache 2.2.8 (on Ubuntu) with mod_wsgi. We developed a web application with web.py and Beaker. The application performs an authentication step with a small login screen and saves the user info in the session cookie. Furthermore, all GET and POST methods in my controller classes are decorated with a decorator that looks in the session to check if the user is logged in. If not, then it redirects to the login page. Otherwise, it proceeds with the request. As far as I know, this is a standard way for doing access control in web.py. So far, so good.
When I tested the application with the web.py's own web server (CherryPy/3.0.1), everything worked just fine. The problem is that when I deployed it on Apache using the embedded mode of mod_wsgi (i.d. there are many apache child processes and each request is handled by one of them more or less at random), my sessions are invalidated when the request is handled by a child process that is different from the one that created the session. So, if the login request was handled by a child process X, and the next request is handled by a child process Y, the latter does not like the session cookie that was set by X for some reason and invalidates the session. Then it creates a new empty one and redirects the user to the login screen. I do not understand why this happens, since all the information about the session is stored in the cookie itself and it should not use any in-memory data for reconstructing it. While browsing the sources of Beaker I noticed that it uses the PID to create the session ID, but I did not find any place where it actually uses it to verify the cookie that is received from the browser. Furthermore, when I switched mod_wsgi to daemon mode, the problem was solved and all requests are handled correctly. Still, I will need the embedded mode of mod_wsgi to achieve higher performance in the production. So, my question is: Is it possible and how to use Beaker cookie-only sessions together with the embedded mode of mod_wsgi on Apache? I started a similar discussion in the google group of web.py - http://groups.google.com/group/webpy/browse_thread/thread/88d5675f954c924d/c1cff4ad39f1abb4 But thus far, we did not find an explanation to this problem. Thanks to all of you in advance for any help and suggestions! Petko --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
