Previously we've discussed the assumptions in Pyramid's ISession and Session code and in 'pyramid_redis_sessions'. I complained that pickled sessions are hard to monitor in aggregate in the backend, because you have to deserialize each one in Python to query a property, or visually interpret the Pickle protocol. I tried JSON serialization under pyramid_redis_sessions, and it works and is more readable, but still not ideal because it escapes quotes in the JSON like Python's repr().
I'm now considering another idea, of keeping the traditional session ID cookie but storing the session variables in individual Redis keys, allowing all Redis datatypes and operations, and making the caller responsible for any JSON serializing of individual session variables. I think I'll have to bypass most of 'pyramid.session' because it and all the third-party adapters really, really, really wants to serialize the session to a string and makes it hard not to. I'm not sure I necessarily need the 'request.session' API, just some convenient way to get the values. What I don't want to write is the session ID generation, cookie, and signing code. That sounds like the same code Pyramid's AuthTicket class replicates, so I'm wondering if I can piggyback on the auth ticket as a session ID. (That will work in my current application which has authentication. It won't work in my other applications which don't, but I can cross that bridge when I get to it.) I'm not sure if I can get the auth ticket ID in views, but if I can then everything else should fall into place. Does this sound like a viable idea or are there any technical or security gotchas I should be aware of. If this doesn't work and I have to make my own session ID cookie, what do I need to keep in mind? I hear people talk about signing session cookies and tying the session to the client's IP. Is there anything else I should tie it to? -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
