Hi Nick,
I must be really dense today, because I need yet more clarification.
Nick wrote:
Jim Gallacher wrote:
Nick wrote:
How about an explicit "None" value to completely disable it? If you
don't want users on your site using it.
Do you mean to disable sessions, or just the session configuration?
Yes, I'm sorry, I mean disable the session mechanism altogether. Some
admins may see it as a potential security issue. Although I'm sure
you're doing the best you can to make sure it can't be exploited as
such, if you make it so people can evenutally plug in their own session
mechanisms, there might be room for abuse.
Nick
Just so I'm *really* clear, do you mean the current scheme for session
handling would also be disabled? For example users would need to catch
an exception if the admin has disabled sessions:
def handler(req):
try:
sess = Session.Session(req)
except SecurityException:
req.log_error('sessions are disabled')
Or do you mean that using a config option like:
PythonSessionOption session mymodule.MySessionThing
would not be allowed if mymodule.MySessionThing was not in a list of
approved session classes?
I really don't see how sessions could be completely disabled, since all
you are really doing is setting a cookie and reading/writing some data
to a file.
Regards,
Jim
