Hi Nick,

I must be really dense today, because I need yet more clarification.

Nick wrote:
Jim Gallacher wrote:

Nick wrote:

How about an explicit "None" value to completely disable it? If you don't want users on your site using it.


Do you mean to disable sessions, or just the session configuration?


Yes, I'm sorry, I mean disable the session mechanism altogether.   Some
admins may see it as a potential security issue. Although I'm sure you're doing the best you can to make sure it can't be exploited as such, if you make it so people can evenutally plug in their own session mechanisms, there might be room for abuse.

Nick


Just so I'm *really* clear, do you mean the current scheme for session handling would also be disabled? For example users would need to catch an exception if the admin has disabled sessions:

def handler(req):
    try:
        sess = Session.Session(req)
    except SecurityException:
        req.log_error('sessions are disabled')

Or do you mean that using a config option like:
    PythonSessionOption session mymodule.MySessionThing

would not be allowed if mymodule.MySessionThing was not in a list of approved session classes?

I really don't see how sessions could be completely disabled, since all you are really doing is setting a cookie and reading/writing some data to a file.

Regards,
Jim

Reply via email to