On Aug 11, 2005, at 2:38 AM, Al Pacifico wrote:
I was experimenting with quixote/config.py from Quixote 2.1 and
found the
dump() method raises an Attribute error unless check_session_addr is
explicitly defined in the arguments to instantiation of a Config
instance.
The root cause is that the global variable CHECK_SESSION_ADDR is not
defined. The same is true of 2.0, but the CHANGES file suggests
CHECK_SESSION_ADDR was removed between 2.0a5 and 2.0. Looks to me
like the
config_vars list shouldn't include the string
'check_session_addr' (line
107).
Good catch. Does anyone mind if I just remove the Config.dump() method
and 'check_session_addr' in the config_vars list?
I know that here, we don't either.
I'm a newcomer to Quixote and at first, I thought the Config class
defined
in quixote/config.py was deprecated, but I see it is imported by both
publish.py and publish1.py, so I assume this error is worth
addressing.
Since CHECK_SESSION_ADDR has been removed, is there a standard
method for
requiring that a given session cookie always is submitted from the
same IP
address (I haven't examined the session code yet) or has this been
discarded
as a bad idea?
I bet that kind of checking is a good idea in some situations.
An application could implement it by explictly checking, in the
root _q_traverse(), to see that the get_request().get_environ
('REMOTE_ADDR')
matches the get_session().get_remote-address(), and responding
appropriately if it does not match.
The appropriate response might vary from one application to another:
maybe you just want to log the event, or maybe you want to revoke
the cookie, or maybe you want to do something else.
_______________________________________________
Quixote-users mailing list
[email protected]
http://mail.mems-exchange.org/mailman/listinfo/quixote-users
