3 messages in com.googlegroups.pylons-discussRe: Beaker cookies problems with proxy| From | Sent On | Attachments |
|---|---|---|
| Pavel Skvazh | 17 Nov 2007 12:46 | |
| Ben Bangert | 24 Dec 2007 15:46 | |
| Pavel Skvazh | 25 Dec 2007 00:06 |
| Subject: | Re: Beaker cookies problems with proxy |
|---|---|
| From: | Pavel Skvazh (pave...@public.gmane.org) |
| Date: | 12/25/2007 12:06:19 AM |
| List: | com.googlegroups.pylons-discuss |
Thanks a lot for the tip, I'll sure test it and give you a response tomorrow. Probably part of the issue is I'm doing session.invalidate on user exit and before the login to ensure all the previous session data is cleared so there won't be any leftovers.
What'll be your best practice tip on this one?
On Dec 25, 2:46 am, Ben Bangert
<gasp...@public.gmane.org> wrote:
On Nov 17, 12:46 pm, Pavel Skvazh
<pave...@public.gmane.org> wrote:
Basic 0.8 settings:beaker.session.type=memorybeaker.session.cookie_expires =
True
The issue is not that easy to spot. As far as I've got the problem, when I'm trying to access my site through office network, where all PC's share the same IP, they all share the same session. When I access the site from one PC, log in etc, the other gets the same cookie once it's on the site.
I'm rather confused how that's possible, unless you have a misbehaving HTTP proxy inside your network that is caching all network access to the web page when it shouldn't be.
Beaker does not peg sessions to specific IP's, the session is determined by cookie, thus every browser has its own cookie, and its own session. This will work through proxies -- AOL users for example -- and for multiple computers behind a single IP.
Thanks for the bit on cookie use, I'll clear up the docs and provide alternative ways to let you tell Beaker how to get the session ID in the next Beaker release.
As a work-around, can you set a few cache headers in your BaseController's __call__ before it calls the WSGIController method? For example:
class BaseController(WSGIController): def __call__(self, environ, start_response): response.headers['Pragma'] = 'no-cache' response.headers['Cache-Control'] = 'no-store,no-cache,must- revalidate,max-age=0' return WSGIController.__call__(self, environ, start_response)
This should help ensure overly aggressive cache's don't cache the page content (thus appear to have the same session).
Cheers, Ben