Nicolas Lehuen wrote:
Is there a way to forbid PythonSessionOption from appearing in a .htaccess file ? If not, then there is no advantage (security-wise) in having a different configuration directive.
I know we've decided on using PythonOption session_* instead, but looking at http://www.apachetutor.org/dev/config under the "Scope of Configuration" it looks like it may not be that hard to restrict the use of PythonSessionOption in a .htaccess file.
Is it worth persuing? Now is the time to do it. If we change it later it means everyone will need to refactor their config files and any subclasses of BaseSession.
Regards, Jim