Hi, Michael. I have investigated the source too, and found out that session instances are thread-safe. Thanks for the reply anyway, I really appreciate it.
> also I'd advise using CookieSession overall, its way more efficient > and scalable. I'd love to rip the plain Session out of beaker > altogether. I think it is a bad option. Let's say, we have implemented a "Use HTTPS" mode like in twitter. There is a checkbox option in a user settings area which can be turned on/off by the account owner. When the user activates this option you have to _invalidate_ current session because the cookie associated with the session is insecure. Then, you can create a new session and assign its ID to a newly created _secure_ cookie. If we would use pure cookie-based sessions, how can we ensure that the user has only one _valid_ and _secure_ session for all the time? Any previously created pure cookie-based session remains valid if it was encrypted by the same (system-wide server side) secret key, doesn't it? I think the possibility of having more than a single valid session for a particular user might be insecure. On Apr 20, 9:52 pm, Michael Bayer <[email protected]> wrote: > looking at the source it seems like you could call > _set_cookie_values() and _update_cookie_out() manually to re-send the > cookie. > > also I'd advise using CookieSession overall, its way more efficient > and scalable. I'd love to rip the plain Session out of beaker > altogether. > > On Apr 19, 12:26 pm, Max Avanov <[email protected]> wrote: > > > > > > > > > The Beaker's session object accepts a "cookie_expires" parameter from > > the system-wide config. What should I do if I want to implement > > "remember me" option for per-user scope? I mean the following > > behaviour: > > > # In development.ini the "cookie_expires" option is set to True > > > def authenticate(<various_credentials>, remember=False): > > ... > > if remember: > > session.cookie_expires = expiration_date > > session.invalidate() > > session[SESSION_KEY] = <user_identity> > > session.save() > > > So, I have to call invalidate() first in order to properly set an > > expiration date for the current user session. Otherwise (i.e. without > > invalidate() call) the session will use the "expire_cookies=True" > > mode. > > It acts like a shared object and I don't even know is this a thread- > > safe way to change cookie_expires? How to get it done properly? -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
