Hi list - A Beaker issue exists, which seems to be the result of some changes made at some point due to a request to minimize unnecessary "Set- cookie" headers. My proposal would be to restore the old behavior, or a compatible variant of it, to both file-based and cookie based sessions in Beaker.
The issue is this. The browser requests a page, has no cookie. The controller does some logic like this: key = session.id < do something with the key, but does not session.save() > and....that's it ! Particularly with cookie-based sessions, the above operation is significant since you might be (as I am) storing that session id in the database, but not otherwise doing anything with the contents of the session (storing things *in* the session is very 1998 anyway). But what's wrong ? The browser now requests again, and the controller says: key = session.id < do something with the key > Above, *the session.id is now different* ! the contract of, "please give me the unique id for this browser session" has been broken. why is this ? Because the session did not honor the "session.is_new()" flag and send out a set-cookie. Apparently some user was offended by this behavior, for reasons unclear (if those users want to chime in on their rationale, that would be most valuable). Their argument was, "since I didn't session.save(), no cookie should be sent". Well that behavior is just wrong. session.save() is used to *update* the contents of the session, not establish that a session exists. If you do some stuff with the session, save or not, you've asked it for the id - and that id is now linked, hence a set-cookie header is necessary if the id is newly generated. If you change your mind midway through the request and want to throw away that session, by far the less common use case, you say session.invalidate(). There is no implicit behavior here. The proposal therefore is: 1. when a session is accessed in any way, and the "new" flag is set, a Set-cookie header is emitted on response 2. if session.invalidate() is called and the "new" flag is set, no header is emitted. 3. session.save() only refers to the contents of the session, not its existence. Commentary is greatly appreciated here. I do have commit access to Beaker (since I originally wrote it), so if noone objects I'll be going forward with this proposal. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
