When session class creates cookie, it does not explicitly set the "domain" attribute. This means that the session will only apply to the specific site the request was targeted at. This precludes a single server hosting multiple virtual host subdomains under a parent domain and a session being shared across these sites.

The code could perhaps be enhanced to allow an option to be set to force the inclusion of a "domain" attribute in the cookie for the session much like it currently allows with the "path" attribute. The option for the latter is "ApplicationPath". As noted in MODPYTHON-127 there is an intent to properly namespace these mod_python options so maybe there should be an option:

  mod_python.Session.application_domain

with Session code implementing following in make_cookie() method:

        if config.has_key("mod_python.Session.application_domain"):
            c.domain = config["mod_python.Session.application_domain"]

Setting the domain though would only be required if you want cross site session cookies within an enclosing domain, it would not be required for a single site.

Depending on whether multiple applications are being hosted on sites under the same domain, an application may also want to override the session cookie name and session cookie path to avoid conflicts between multiple applications when doing this.