[Twisted-Python] twisted.web.woven.guard.SessionWrapper problems

[Matthias Urlichs]

I was experimenting with twisted.web.woven.guard yesterday and ran into a
problem.

Some browsers, including wget, don't like _at_all_ when you have a cycle
in your redirections, even though they should notice that they now have a
cookie while formerly they didn't.

Therefore I propose to rewrite the SessionWrapper to always change the
user's path, like this (the string "sp" is self.cookieKey):

/sessionized-url/foo
	Set cookie
	Redirect to /sessionized-url/sp__aef9c34aecc3d9148/foo
/sessionized-url/sp__aef9c34aecc3d9148/foo
	Redirect to either of the next two URLs depending on whether I see a
	cookie
/sessionized-url/sp/foo
	URL to use with cookies
/sessionized-url/sp_aef9c34aecc3d9148/foo
	URL to use without cookies

Finally, /sessionized-url/sp/foo, but no cookie, would do

	class SessionWrapper(...):
		def __init__(..., on_timeout=None):
			...
			self.prefix=prefix
			self.timed_out = timed_out
		def getChild(...):
			if (path == self.prefix and not self.sessions.has_key(cookie):
				return self.on_timeout(path,request)

so that access with no session can be distinguished from a plain link into
/sessionized-url/foo; the latter means the user might want to log in, but
the former should tell the user that their session has timed out before
offering the login page.

An additional advantage of this scheme would be that
.../unsessionized-url/ can be reaced with a constant number of backpaths.

Oh yes, and I'd like to make http://somewhere.example/sessionized-url and
(i.e. no paths) work. At the moment that causes an ugly error because
SessionWrapper doesn't override render().

Thoughts? Or is somebody else going to rewrite this module next week
anyway and I therefore probably shouldn't bother?

-- 
Matthias Urlichs  | {M:U} IT Consulting @ m-u-it.de  |  smurf at smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
-- 
Van Roy's Law:
	An unbreakable toy is useful for breaking other toys.