Sophana wrote:
> Christoph Zwerschke a écrit :
>> Maybe we should make '/' the default CookiePath again instead of None
>> (automatic determination)? This is less secure, but at least it will
>> always work (Microsoft policy ;-) This issue has already caused too much
>> confusion in the past.
>>
Christoph Zwerschke a écrit :
> Sophana wrote:
>
>> I reverted to 0.9.2 because of the cookie clear bug which I couldn't
>> find a workaround.
>>
>
> If you provide a test case for that bug, I'll try to fix it in the next
> version.
>
>
>>> But this would be redirected to /wk/wk/* and n
Sophana wrote:
> I reverted to 0.9.2 because of the cookie clear bug which I couldn't
> find a workaround.
If you provide a test case for that bug, I'll try to fix it in the next
version.
>> But this would be redirected to /wk/wk/* and not work anyway?
> No, in my case I only redirect / (^/$) wi
Christoph Zwerschke a écrit :
> Sorry for the late answer, I was offline was some weeks.
>
> sophana wrote:
>
>> Now looking at firefox cookie list, when I go to my server root url, I
>> get a SID cookie with the path set to //
>>
>
> This is a bug. It should only be '/'. I have already fix
Sorry for the late answer, I was offline was some weeks.
sophana wrote:
> Now looking at firefox cookie list, when I go to my server root url, I
> get a SID cookie with the path set to //
This is a bug. It should only be '/'. I have already fixed it in the
trunk. Can you try again with the HTTPR
Christoph Zwerschke a écrit :
> Concerning the sessions, this may have to do with the more secure
> default cookie path for Webware. It will be probably using '/wk' now,
> while you had been using '/'. If you still experience problems with the
> cookies, you can set a fixed cookie path in 0.9.4,
> I will revert to the previous server, then try to reproduce the problem.
> I hope the session incompatibility will not show up again...
Yes, you should check the new version on the old server and the old
version on the new server to see whether it is an issue of the server or
or Webware. I hav
Jkx a écrit :
> Hi all,
>
> I've been off webware for a while now, but yesterday I need to
> update my website, and I run into some issues with an old webware
> install (which work smothly since 2 years).
>
> I switched to mod2_webkit, and last stable webware release 0.9.3 +
> apache 2.2 (my prev
Ho I miss to answer, this email !
/me slaps me !!!
In fact, I hand patched this stuff like Christoph ask, but I run into
other issues.. mainly cause I already asked the URLParser before:
http://www.larsen-b.com/Article/91.html
I managed to fix the issue, but don't ask me exactly how. Afte
including feedback and proposals.
Subject: Re: [Webware-discuss] Session Issue
I'm kinda nervous to expose how I do things, for fear of being told I'm
completely smoking crack, BUT...
We use mod_rewrite to map the /wk/ noise right to the document root in
the httpd.conf file (similarly
To: Discussion of Webware for Python including feedback and proposals.
Subject: Re: [Webware-discuss] Session Issue
Jerome Kerdreux wrote:
> Hum .. I guess you found something. The url is
> http://www.larsen-b.com/Articles/X.html
> but the cookie path is "/wk/" ... Do you
Jerome Kerdreux wrote:
> Hum .. I guess you found something. The url is
> http://www.larsen-b.com/Articles/X.html
> but the cookie path is "/wk/" ... Do you have a idea to fix this ?
I cannot see how this happens with the rewrite rules you posted, but you
wrote that you are using another URLD
On Mon, 14 May 2007 22:54:58 +0200
Christoph Zwerschke <[EMAIL PROTECTED]> wrote:
> Jerome Kerdreux schrieb:
> > Hum, I missed to say that firefox see the SID cookie, the issue is that
> > my code doesn't have it, so create a new session cookie at each request.
> >
> > In awake(), I checked for
Jerome Kerdreux schrieb:
> Hum, I missed to say that firefox see the SID cookie, the issue is that
> my code doesn't have it, so create a new session cookie at each request.
>
> In awake(), I checked for trans.request()._environ['HTTP_COOKIE'] this
> give me some cookie but not the SID one ..
On Mon, 14 May 2007 19:02:16 +0200
Christoph Zwerschke <[EMAIL PROTECTED]> wrote:
> Jkx wrote:
> >> * If you create an empty (default) working dir, does it work?
> >
> > It should work (as my app is running), I only have some issues
> > with Session (all other is working fine)
>
> I mean, do s
Jkx wrote:
>> * If you create an empty (default) working dir, does it work?
>
> It should work (as my app is running), I only have some issues
> with Session (all other is working fine)
I mean, do sessions (e.g. the CountVisits example) work when you create
an empty working dir?
> Here is my
> After some tweaks in the webware context config, all is working
> quite fine. (migration was easy :) .. but the session doesn't work
> any more. And even worst I try to do some debuging, and find that
> trans.request()._environ['HTTP_COOKIE'], contains some cookies but
> not the SID one, beside
sophana a écrit:
> Is your fix available in the 0.9.2 beta? I'd like to test it...
The expired sessions fix has been added after the beta release, so you
need to get it from the SVN. You can simply replace Application.py and
HTTPExceptions.py in the WebKit folder from here:
http://svn.w4py.org/
Christoph Zwerschke a écrit :
I will also try to reimplement returning an error page for expired
sessions if IgnoreInvalidSession=False (the default is True). Maybe
instead of sending an error page, we should simply send a 408 Request
Timeout error?
I have fixed it that wa
> I will also try to reimplement returning an error page for expired
> sessions if IgnoreInvalidSession=False (the default is True). Maybe
> instead of sending an error page, we should simply send a 408 Request
> Timeout error?
I have fixed it that way now, but sending "401 Session Expired" ins
> In previous versions of webware (0.8.1), when a session expires the
> method Application.handleInvalidSession() was called, which basically
> removes the _SID_ reference so the browser will stop requesting an
> invalid session, and marks request._sessionExpired. So, I could ask
> for the var
nces to "SomeParent" in that code which should be"SiteFrame". I started to convert to your Frame naming convention butdidn't follow through. :)> -Original Message-> From: Ben Parker [mailto:[EMAIL PROTECTED]]> Sent: Thursday, March 31, 2005 1:38 PM> To
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Greg
> McClure
>
> ...
>
> My real problem is that I can not get my code to detect session cookie
> deletion. I feel like I'm missing something obvious, but I'm looking
> for anyone to say, "Here it is. You
: Thursday, March 31, 2005 1:38 PM
> To: Greg McClure
> Cc: Webware discussion list
> Subject: RE: [Webware-discuss] Session Cookies Issue
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Greg
> > McClure
>
Seeya,
Thanks for your response, but the 'BasicFrame' and 'AuthFrame' classes
are *not* frames, sorry for not explaining that. Those are just my
terms since I feel that what they're doing is "framing" content and I
dislike the term "page" for that function, since I feel that software
like Webware
Greg McClure wrote:
> I need to detect if the session cookie is present or not, *before* the
> rest of a page executes. Right now my protected pages are inheriting
> from an AuthFrame class which uses the awake method to handle this
> stuff. I have caching turned off.
How about self.transaction().
Hi Greg
What is your real problem? I don't know if is your case, but Internet
Explorer doesn't save cookies if you are on a frame (in my case an
iframe). I need to use AutomaticPathSession=1 on the configuration.
If I open the frame on a new window all is ok...
seeya
On Thu, 31 Mar 2005 00:35:0
Argh.
I tried it, but unfortunately trans.hasSession() doesn't seem to be
solving my problem.
Here's a sample of my code, as per your suggestion:
import lib.Config
from BasicFrame import BasicFrame
class AuthFrame(BasicFrame):
def awake(self, trans):
BasicFrame.awake(self, trans)
On Tue, 1 Mar 2005 17:21:18 -0800, Greg McClure wrote:
> Hey all.
>
> I suppose I'm not understanding Webware sessions very well. I'm
> trying to detect if a session has expired by doing what seems
> obvious:
>
> if self.session().isExpired():
> etc ...
Here are some quick tips that may help:
* I
On Dec 23, 2004, at 8:10 AM, Geoffrey Talvola wrote:
Frank Barknecht wrote:
Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
So the most secure solution is indeed to use "URL secrets", like the
incrementing id already proposed (which must not be guessable) or
random secrets (like in Funcs.un
Frank Barknecht wrote:
> Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
>
>> Using the latest Webware CVS as of a few minutes ago, if you use
>> UseAutomaticPathSessions=True with UseCookieSessions=False then the
>> session id is exclusively embedded in the URL and never sent in a
>> cook
Hallo,
Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
> Using the latest Webware CVS as of a few minutes ago, if you use
> UseAutomaticPathSessions=True with UseCookieSessions=False then the session
> id is exclusively embedded in the URL and never sent in a cookie, so based
> on my readi
Frank Barknecht wrote:
> Hi,
>
> maybe you have already seen this one some news sites, but this
> document on "Session Riding" [1] IMO discusses a very important
> security issue with web based applications like you all probably
> develop with Webware, too, and it shines new light on the Cookie vs
Enrique Arizón wrote:
Of course, I send it back and for embedded in the
form as a hidden input field, so I can't imagine a
general way to use it in Webware (or any other
framework)
Yeah.
Though, if this scheme is used in HTML forms only and application use
some form-management tool like FormKit o
> I assume you attach this number to the urls in the
> final HTML response?
> Passing it back as cookie is useless, AFAIS.
>
Of course, I send it back and for embedded in the
form as a hidden input field, so I can't imagine a
general way to use it in Webware (or any other
framework)
Regards!
Enrique Arizón wrote:
I use "sequence numbers" to avoid the problem. It's
basically a similar solution to the "secrets"
mentioned in the article. An increasing integer number
is send back to client with every request. The client
must put it back to the server with each new request.
It has the added
I use "sequence numbers" to avoid the problem. It's
basically a similar solution to the "secrets"
mentioned in the article. An increasing integer number
is send back to client with every request. The client
must put it back to the server with each new request.
It has the added advantage (that was r
; > strings
>> > into the session store, so that skews our results in the "good"
>> > direction.
>> >
>> > Cheers!
>> > --
>> > David Hancock
>> >
>> > -Original Message-
>> > From: Matt Feifar
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> [EMAIL PROTECTED]
> Sent: Wednesday, October 20, 2004 3:57 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Webware-discuss] session strangeness
>
>
> Hey, thanks everyone f
ction.
>
> Cheers!
> --
> David Hancock
>
> -Original Message-
> From: Matt Feifarek [mailto:[EMAIL PROTECTED]
> Sent: Wed 10/20/2004 6:12 PM
> To: Hancock, David (DHANCOCK)
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Webware-discuss] session strangeness
>
> Th
Title: RE: [Webware-discuss] session strangeness
Thanks, Matt--that's useful. We never (purposely) put anything but strings
into the session store, so that skews our results in the "good" direction.
Cheers!
--
David Hancock
-Original Message-
From
Thanks for that.
I guess that it's not "way" :-)
But it does depend on what gets pickled; if it stays in memory, there's
no pickling. I've noticed for example that pickling new style classes
(with the getstate/setstate stuff) is pretty slow. Typical session stuff
like strings and ints should be
:[EMAIL PROTECTED] On Behalf Of Matt
Feifarek
Sent: Wednesday, October 20, 2004 3:08 PM
To: [EMAIL PROTECTED]
Cc: JD Kaplan; [EMAIL PROTECTED]
Subject: Re: [Webware-discuss] session strangeness
File based sessions are way slower. Definitely an undesirable band-aid
solution.
We've seen this s
es them all when
starting the server).
I have no idea why
redirecting would cause this to happen.
Let us know what you
find out.
-
Geoff
-Original Message-From: JD Kaplan
[mailto:[EMAIL PROTECTED]Sent: Monday, October 18, 2004 4:29
PMTo: [EMAIL PROTECTED]Subject: RE:
[Webwar
File based sessions are way slower. Definitely an undesirable band-aid
solution.
We've seen this sort of thing, too. We were never able to determine the
source of the bug (or whether it was a bug).
[EMAIL PROTECTED] wrote:
Try changing your sessions store from Dynamic to File. What do you mean
Kaplan
Cc: [EMAIL PROTECTED]
Subject: RE: [Webware-discuss] session strangeness
Try changing your sessions store from Dynamic to File. What do you mean
by bounce the server?
Jose
> Original Message ----
> Subject: RE: [Webware-discuss] session strangeness
> From: "JD K
Try changing your sessions store from Dynamic to File. What do you mean
by bounce the server?
Jose
> Original Message
> Subject: RE: [Webware-discuss] session strangeness
> From: "JD Kaplan" <[EMAIL PROTECTED]>
> Date: Mon, October 18, 2004 1:
Additional information that is
pertinent: I am doing a response.sendRedirect() in the same situation and
it turns out that I only get that error if I bounce the server AFTER having
done a redirect…
Thanks,
jeremy
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf
On Fri, Mar 05, 2004 at 04:42:15PM -0600, Jason Hildebrand wrote:
>
> Hi Jerome,
>
> I'm curious why you aren't using Modeling anymore, or why you've decided to
> go with SQLObject. I've looked through the Modeling docs a couple of times,
> and while it looks impressive, but I haven't used or te
On Thu, 2004-03-04 at 18:03, Jerome Kerdreux wrote:
> In a previous life, i used Modeling for a while, and in Modeling
> you simply work in a editing context and binding an ec to session
> is easy so, commiting changes is just a ec.saveChanges()... and
> to loose modification simply discard this ec
On Thu, Mar 04, 2004 at 05:24:38PM -0600, Ian Bicking wrote:
> You shouldn't keep the SQLObject instances in the session -- they
> persist independently in the database, and it can potentially confuse
> things if you keep them elsewhere. Well... maybe not so much. Really
> they should be pickl
Jerome Kerdreux wrote:
I'm wondering how you use session in webware.
My main problem is that i what to edit some
SQLObject in session. But i can to that directly
so i decided to write something that 'clone'
a SQLObject into a database-less object and put
it session. This works fine except that obje
_session is the class variable; session() is the access method.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek
Kubica
Sent: Friday, December 05, 2003 7:18 AM
To: webware-discuss
Subject: Re: [Webware-discuss] session from PSP
Hello,
>>
Hello,
>> sess = self._session()
IB> should be "self.session()", i.e., no underscore.
Thank you, it worked. :)
But why dir(self) displays _session?
greets,
Marek
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert
On Dec 3, 2003, at 11:19 AM, Marek Kubica wrote:
Hello,
I'm pretty new to PSP/Webware. I've got the following problem: how can
I access session form PSP? I've tried:
<%
sess = self._session()
should be "self.session()", i.e., no underscore.
sess.setValue('x', 5)
res.write(str(sess.value('x')))
%>
Vitaliy Fuks wrote:
I believe your problem may be that if you set a cookie and redirect in
same request the cookie is ignored.
You are not inherintly doing that, but because session is expired new
session is created when user requests that page. At this time, a cookie
with new session id is sent.
Aaron,
I have tried with Mozilla. It just works fine. It's only IE and
Konqeror. I add a bunch of print statements to check the cookies being
received and sent and it seems that after my sub window calls
window.close it seems the next page I access just doesn't have any
cookies being sent. I p
I would recommend that you first test with Mozilla or some browser that
lets you monitor cookies. (From Mz click Tools -> cookie manager ->
manage cookies).
First of all make sure that you indeed blocking the cookies.
Next dump the session contents for each page and try to find where the
sess
Huy Do wrote:
> Hi,
>
> I was just wondering if anyone stores their db cursors (psycopg) in the
> session so the user can reuse the same cursor if necessary (i.e so the
> program does not have to re query the database). I am basically using
> this for a web page which for eg. List 30 rows at a tim
Stuart Donaldson'
> Cc: Chris Backas; WebWare Community
> Subject: RE: [Webware-discuss] Session timeouts
>
>
> I figured out the source of my confusion about the session expiration.
>
> In my testing, everything was working properly. After
> session expiration, I
>
I figured out the source of my confusion about the session expiration.
In my testing, everything was working properly. After session expiration, I
would get a new session ID and a fresh, clean session on the first request.
It turns out that I was making that request after the session sweeper thr
Stuart Donaldson [mailto:[EMAIL PROTECTED]] wrote:
> That is rather interesting. The SecureCountVisits page does
> not check
> for Application.createSessionForTransaction() as does the CountVisits
page.
>
> It appears that when a session expires, the strategy is to call
> Application.handleI
Randall Randall wrote:
Stuart Donaldson wrote:
Probably what should happen, is that the SecureCountVisits example
should be updated to include a check for isSessionExpired() and then
display an expired sesion page.
Shoudn't this be in SecurePage itself? Is it useful to
Stuart Donaldson wrote:
> Probably what should happen, is that the SecureCountVisits example
> should be updated to include a check for isSessionExpired() and then
> display an expired sesion page.
Shoudn't this be in SecurePage itself? Is it useful to have a page one
only inherits to enforce lo
That is rather interesting. The SecureCountVisits page does not check
for isSessionExpired() as does the CountVisits page.
It appears that when a session expires, the strategy is to call
Application.handleInvalidSession() which basically removes the _SID_
reference so the browser will stop r
Michael Engelhart wrote:
BTW, it appears that expiring() doesn't get called on application
shutdown. Any ideas on what the deal is with that?
I think that the theory is that you could restart the application, and
it can pick up the sessions and go, without expiring them. If they
actually a
Thanks Matt
Good idea. I hadn't looked into the MixIn class. I'll check that out.
Maybe that's a better solution then mucking around in the Session class
BTW, it appears that expiring() doesn't get called on application
shutdown. Any ideas on what the deal is with that?
I saw that storeAllS
Michael Engelhart wrote:
Is there a way to handle cleanup of application specific resources
when a session is about to expire?
We're doing something similar to write log data when a session is
over... in the __init__.py of an application, you can do something like
this:
That's what I'd like to see.
I do agree that pickling to disk on restart is nice for development and
in a lot of other situations as well but I guess I just like "choice"
:-)
Thanks for listening to my rant.
Cheers,
Mike
On Tuesday, December 3, 2002, at 11:30 AM, Geoffrey Talvola wrote:
I
in the session object.
- Geoff
> -Original Message-
> From: Michael Engelhart [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 02, 2002 11:45 PM
> To: Ian Bicking
> Cc: Webware discuss
> Subject: Re: [Webware-discuss] session persistence
>
>
> Hi Ian,
Hi Ian,
Thanks for the code snippets and advice.But I'm afraid my issue
with this is more than just my pickling problem with my LDAP connection
objects. It's also the problem I have with Webware having 3 types of
session storage that all write to disk at some point. By forcing
MemorySe
On Mon, 2002-12-02 at 12:07, Michael Engelhart wrote:
> Hi all -
>
> I wrote about this a month or two ago and didn't really get a response
> but it's starting to bite me again.
> I'm trying to store LDAP connection objects in the user session and
> because the underlying LDAP objects (from the
Edmund Lian wrote:
> Under what circumstances does Webware generate a new session ID? For
> example, if I clear out the session store, will the session ID be
> regenerated?
Clearing out the session shouldn't cause the session ID to be regenerated (I
think).
I think if your servlets don't actuall
On 08/22/2002 09:32:04 AM Geoff wrote:
>The cookie is called "_SID_" and it does remain constant across all
>requests. And it should work fine with OneShot.cgi.
>
>Are you sure you have cookies enabled in your browser?
Yes, I'm using Mozilla, and what I've done is to turn on cookie acceptance
Edmund Lian wrote:
> From reading the docs, it appears that session IDs are stored
> as cookies
> unless UseAutomaticPathSessions is set. However, I don't
> actually see any
> cookies stored on my machine that corresponds to my domain name, or
> anything else that I might recognize as being from
On Wednesday 13 February 2002 12:19 pm, Geoffrey Talvola wrote:
> Jeff Johnson wrote:
> > I've seen this a few times on my test server today:
> >
> > Exception in thread SessionSweeper:
> > Traceback (most recent call last):
> > File "/usr/local/lib/python2.2/threading.py", line 408, in
> > __bo
Jeff Johnson wrote:
> I've seen this a few times on my test server today:
>
> Exception in thread SessionSweeper:
> Traceback (most recent call last):
> File "/usr/local/lib/python2.2/threading.py", line 408, in
> __bootstrap
> self.run()
> File "/usr/local/lib/python2.2/threading.py", l
At 04:30 PM 11/29/01 +1100, bj wrote:
>What is the best strategy for performing some action when the session
>times out?
>
>I'm in the middle of my first webware app =) and I need to do some
>processing on middlekit objects if the session times out. At the moment,
>I store an object in the sessio
> So this is either a flat out Mozilla bug, or WebKit is doing something
> "non-standard/typical" with cookies that IE & NN are forgiving of, but
> Mozilla is not.
>
> I'm not a Mozilla person myself and tend to lean towards "standard is as
> standard does". So if IE & NN can deal with it, esp
At 09:37 PM 7/5/2001 -0700, John Reese wrote:
>Sure nuff, CountVisits and SecureCountVisits work fine on IE, as on NN
>4.6.
>
>The rundown is thus:
>CountVisits and SecureCountVisits, WebWare 0.5
>==
>works with IE 6.0
>works with NN 4.6
>does not work with Mozilla 0.9.1 for PowerPC; cookies a
> Session cookies don't work at all for me with Mozilla. The example
> CountVisits page never displays a number higher than 1;
> SecureCountVisits never lets me in. I've set Mozilla to warn me
> before accepting cookies, and it doesn't say a word when I go to the
> CountVisits page, which means
At 09:03 AM 6/21/01 -0700, Mike Orr wrote:
>Disadvantages (missing features):
> automatic session recovery after expire (currently it presents an
>error page and then starts without a session; I'd propose starting a new
>session without an error message),
You can do this by setting the Ig
On Thu, Jun 21, 2001 at 02:51:19PM -, [EMAIL PROTECTED] wrote:
> I see one advantage of this system being the avoidance of any need to store
> session information on the server, and to be obliged to implement session
> timeouts - I hate visiting Web sites where my session expires after five
On Thu, Jun 21, 2001 at 02:51:19PM -, [EMAIL PROTECTED] wrote:
> It occurred to me yesterday that, despite having listed sessions as a feature
> of Webware in my Web Modules Overview page [1], I wasn't clear on how they
> could be created or manipulated in Webware,
You don't have to create
84 matches
Mail list logo
