Is there a way to forbid PythonSessionOption from appearing in a .htaccess file ? If not, then there is no advantage (security-wise) in having a different configuration directive.
But your point about not breaking existing code is a good one. If someone already uses "PythonOption session*" directives to store some configuration data, we will step on his feet. Of course, this hypothetical guy will not use req.get_session() so there should not be any problem... No, really, I don't think PythonSessionOption is required. Regards, Nicolas 2005/6/15, Jim Gallacher <[EMAIL PROTECTED]>: > Nicolas Lehuen wrote: > > +1 for PythonOption session_<variable> <value> > > > > Unless choosing a specificc configuration directive has something to > > do with security (i.e. no overloading of the settings in .htaccess > > files) ? > > Not currently - it's just a cut and paste of directive_PythonOption > after all. However, a few weeks ago when we first discussed > req_get_session, one of the motivations was to give the apache server > admin more control over the session handling. So maybe we do need to > look at this from security perspective? > > Jim > > > > Regards, > > Nicolas > > > > 2005/6/15, Nick <[EMAIL PROTECTED]>: > > > >>Jim Gallacher wrote: > >> > >>>Just so I'm *really* clear, do you mean the current scheme for session > >>>handling would also be disabled? > >> > >>The more I think about it, you're right; you can just set up the session > >>stuff without directives just the same by importing mod_python.Session and > >>going from there. So that line of reasoning has no merit. > >> > >>I was confused by the adding of a new directive, which seems to indicate > >>that there would be some "default" Session handler being loaded if you > >>didn't specify one using the directive. Because in the old scheme there > >>wasn't really any "default" session handling, unless you outright imported > >>the libary and started using it. If it's going to work exactly the same way > >>as it did before, except now you can configure some defaults in the apache > >>config, then I'm probably worried over nothing. But it probably should have > >>an option for "None" or "disabled," which would be the default, meaning I > >>don't care to use the supplied session handlers, even though it didn't > >>really do anything extra than it does now. > >> > >>But in that case, why not use "PythonOption session_<config_var> <value>", > >>which is probably what you were asking about in the first place, which I > >>think someone else mentioned as well. That doesn't imply that there is some > >>kind of default session handling, just the standard way of passing values > >>from the apache config to python code. If the plan is to implement a pure C > >>session handler, then PythonSessionOption makes sense, but otherwise it > >>doesn't seem necessary. > >> > >>Nick > >> > > > > > >
