Nicolas Lehuen wrote:
Is there a way to forbid PythonSessionOption from appearing in a
.htaccess file ?
I don't know. Is there a way to restrict the use of any Python*
directives? Or to restrict the use of AddHandler mod_python? These
restrictions would be useful in a shared hosting environment in general.
This might be something to persue, but if we want to release 3.2 before,
say Christmas... ;)
If not, then there is no advantage (security-wise) in
having a different configuration directive.
But your point about not breaking existing code is a good one. If
someone already uses "PythonOption session*" directives to store some
configuration data, we will step on his feet. Of course, this
hypothetical guy will not use req.get_session() so there should not be
any problem... No, really, I don't think PythonSessionOption is
required.
And there is an argument to be made for avoiding code bloat. So
PythonOption session_* it is then.
Regards,
Jim
Regards,
Nicolas
2005/6/15, Jim Gallacher <[EMAIL PROTECTED]>:
Nicolas Lehuen wrote:
+1 for PythonOption session_<variable> <value>
Unless choosing a specificc configuration directive has something to
do with security (i.e. no overloading of the settings in .htaccess
files) ?
Not currently - it's just a cut and paste of directive_PythonOption
after all. However, a few weeks ago when we first discussed
req_get_session, one of the motivations was to give the apache server
admin more control over the session handling. So maybe we do need to
look at this from security perspective?
Jim
Regards,
Nicolas
2005/6/15, Nick <[EMAIL PROTECTED]>:
Jim Gallacher wrote:
Just so I'm *really* clear, do you mean the current scheme for session
handling would also be disabled?
The more I think about it, you're right; you can just set up the session
stuff without directives just the same by importing mod_python.Session and
going from there. So that line of reasoning has no merit.
I was confused by the adding of a new directive, which seems to indicate
that there would be some "default" Session handler being loaded if you
didn't specify one using the directive. Because in the old scheme there
wasn't really any "default" session handling, unless you outright imported
the libary and started using it. If it's going to work exactly the same way
as it did before, except now you can configure some defaults in the apache
config, then I'm probably worried over nothing. But it probably should have
an option for "None" or "disabled," which would be the default, meaning I
don't care to use the supplied session handlers, even though it didn't
really do anything extra than it does now.
But in that case, why not use "PythonOption session_<config_var> <value>",
which is probably what you were asking about in the first place, which I
think someone else mentioned as well. That doesn't imply that there is some
kind of default session handling, just the standard way of passing values
from the apache config to python code. If the plan is to implement a pure C
session handler, then PythonSessionOption makes sense, but otherwise it
doesn't seem necessary.
Nick
