[#MODPYTHON-111] Sessions don't set accessed time on read

mod_python

Sessions don't set accessed time on read

Created: 22/Jan/06 05:45 AM Updated: 05/Apr/07 11:33 AM

Return to search

Component/s:

documentation, session

Affects Version/s:

3.1.4

Fix Version/s:

3.3.1

Time Tracking:

Not Specified

Environment:

Suse 10, Apache2 worker

Resolution Date:

02/Apr/06 01:39 PM

Description

« Hide

When you read or access session it does not set new accessed time so it eventually dies(depends on the timeout).
It only sets the accessed time when you save the session and that is not how sessions normally function(at least not on all other systems). IMHO it should set its accessed time when it was actually accessed and not only when saved.

A bit more about this issue can be found here: http://www.modpython.org/pipermail/mod_python/2006-January/019889.html

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Graham Dumpleton added a comment - 22/Jan/06 08:28 AM

Note that making such a change could have noticeable consequences as far as performance goes. Where login based session authentication is used to cover access to everything in a directory, including auxiliary files such as static images included in a HTML page, you would incur the override of a commit on every single access, including to the images. In those situations it is preferable that only the page/code with represents the core resource should perform the commit for time accessed. The only way you can achieve this is to leave it as now and for the programmer to code the commit explicitly in the required place. If you auto commit on every access, you impose the performance hit on everyone and doubly so for existing code which already performs the required commit. Thus changing this may have a significant impact on existing code.

BTW, a lot of those other systems probably came along after mod_python implemented sessions. They also do what they do as part of a bigger picture of making it easier for dumb users to use the systems. An aim of mod_python on the over hand is performance, control and flexibility. By auto commiting, you have taken away just a little bit of that control as once done you can't revert the change. It is thus perferable that if you want auto commit, you implement it in a layer above the API that is provided. Since a good design would implement session creation in a web application in one spot, it means you only have to accomodate for it in one spot, so in practice it should not be a big drama for a user to do themselves.

[ Permlink | « Hide ]

Sebastjan Trepca added a comment - 14/Feb/06 09:32 PM

OK, I understand and agree with your but then someone should change the documentation because now it says:
"
A session will timeout if it has not been accessed for more than timeout, which defaults to 30 minutes. An attempt to load an expired session will result in a ``new'' session.
"
From this line I thought accessing the session means that I execute the load() method, but I was apparantly wrong and spent few hours debugging my application and then few hours more for debugging mod_python.

Can someone then please edit that line in docs and be more explicit about what that "accessing" means so people won't be confused when session will suddenly expire?

[ Permlink | « Hide ]

Jim Gallacher added a comment - 14/Feb/06 10:20 PM

I'll update the documentation.

[ Permlink | « Hide ]

Graham Dumpleton added a comment - 02/Apr/06 01:39 PM

Autosave not implemented as described, but documentation updated to add additional note about need to save session to avoid timeout occuring.