Mercurial Mercurial > pub > hg > cubicweb / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
[web session] fix '#1375582: sometime have to relogin since secure session cookie are used' by having different session cookie for http/https version. Also add application name to avoid potential pb when developping differents appls on the same port. stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Fri, 05 Nov 2010 11:58:16 +0100
branchstable
changeset 6680 b62ebf1d9388
parent 6679 7f2735c48653
child 6681 674461009c7c
[web session] fix '#1375582: sometime have to relogin since secure session cookie are used' by having different session cookie for http/https version. Also add application name to avoid potential pb when developping differents appls on the same port.
web/application.py file | annotate | diff | comparison | revisions 
--- a/web/application.py	Fri Nov 05 10:49:58 2010 +0100
+++ b/web/application.py	Fri Nov 05 11:58:16 2010 +0100
@@ -140,13 +140,7 @@
 
 
 class CookieSessionHandler(object):
-    """a session handler using a cookie to store the session identifier
-
-    :cvar SESSION_VAR:
-      string giving the name of the variable used to store the session
-      identifier
-    """
-    SESSION_VAR = '__session'
+    """a session handler using a cookie to store the session identifier"""
 
     def __init__(self, appli):
         self.vreg = appli.vreg
@@ -180,6 +174,14 @@
         """
         self.session_manager.clean_sessions()
 
+    def session_cookie(self, req):
+        """return a string giving the name of the cookie used to store the
+        session identifier.
+        """
+        if req.https:
+            return '__%s_https_session' % self.vreg.config.appid
+        return '__%s_session' % self.vreg.config.appid
+
     def set_session(self, req):
         """associate a session to the request
 
@@ -193,8 +195,9 @@
         :raise Redirect: if authentication has occurred and succeed
         """
         cookie = req.get_cookie()
+        sessioncookie = self.session_cookie(req)
         try:
-            sessionid = str(cookie[self.SESSION_VAR].value)
+            sessionid = str(cookie[sessioncookie].value)
         except KeyError: # no session cookie
             session = self.open_session(req)
         else:
@@ -206,7 +209,7 @@
                 try:
                     session = self.open_session(req)
                 except AuthenticationError:
-                    req.remove_cookie(cookie, self.SESSION_VAR)
+                    req.remove_cookie(cookie, sessioncookie)
                     raise
 
     def get_session(self, req, sessionid):
@@ -215,10 +218,11 @@
     def open_session(self, req):
         session = self.session_manager.open_session(req)
         cookie = req.get_cookie()
-        cookie[self.SESSION_VAR] = session.sessionid
+        sessioncookie = self.session_cookie(req)
+        cookie[sessioncookie] = session.sessionid
         if req.https and req.base_url().startswith('https://'):
-            cookie[self.SESSION_VAR]['secure'] = True
-        req.set_cookie(cookie, self.SESSION_VAR, maxage=None)
+            cookie[sessioncookie]['secure'] = True
+        req.set_cookie(cookie, sessioncookie, maxage=None)
         if not session.anonymous_session:
             self._postlogin(req)
         return session
@@ -265,7 +269,8 @@
         `AuthenticationError`
         """
         self.session_manager.close_session(req.session)
-        req.remove_cookie(req.get_cookie(), self.SESSION_VAR)
+        sessioncookie = self.session_cookie(req)
+        req.remove_cookie(req.get_cookie(), sessioncookie)
         raise LogOut(url=goto_url)
cubicweb