Getting session by SID
60 views
Skip to first unread message
Paul Carvill
Oct 14, 2010, 11:22:39 AM10/14/10
to gae-sessions
Hi,
I don't seem to be able to access a session by SID. The code looks
like this should be possible, but I wonder if you could clarify the
exact process.
I'll explain what I'm trying to do. I have an Adobe Air app which I
use to make an Ajax request to my GAE app with. I want to create a
very short-lived session and return the SID to the Adobe Air app. I
then need to open a browser window from the Air app and go to a login
page, where I can supply the SID and (assuming it hasn't expired)
match it with the current session to create a new, longer session.
My problem is: I don't seem to easily be able to send the SID back to
the Adobe Air app in a response, and when I hacked around enough to do
so, I was unable to match an existing session with the SID string.
Hope this makes sense!
paul
I don't seem to be able to access a session by SID. The code looks
like this should be possible, but I wonder if you could clarify the
exact process.
I'll explain what I'm trying to do. I have an Adobe Air app which I
use to make an Ajax request to my GAE app with. I want to create a
very short-lived session and return the SID to the Adobe Air app. I
then need to open a browser window from the Air app and go to a login
page, where I can supply the SID and (assuming it hasn't expired)
match it with the current session to create a new, longer session.
My problem is: I don't seem to easily be able to send the SID back to
the Adobe Air app in a response, and when I hacked around enough to do
so, I was unable to match an existing session with the SID string.
Hope this makes sense!
paul
David Underhill
Oct 14, 2010, 12:09:37 PM10/14/10
to gae-sessions
Good question. By default, gae-sessions will try to store a user's
session within secure cookies - this makes the sesssion retrieval far
faster as the client sends their session data along with each request,
rather than us having to go to memcache (or worse, the datastore) to
get the session information. Unfortunately, if the session is only
stored in a cookie, then you can't load the session by SID since
cookies are stored solely with the client.
However, you can workaround this problem without losing the
substantial benefit of cookie-only sessions. Before you send the SID
to your Adobe Air app, you just need to force the session to be
persisted to the datastore/memcache so that your Adobe Air application
can retrieve the session data by SID. To do this, you need to mark
the session as "dirty" (otherwise save() won't do anything) - you can
do this by simply setting session.dirty = True. Next, you need to
force the session to be persisted server-side this once - you can do
this by calling session.save(persist_even_if_using_cookie=True).
Now, when your adobe air will be able to retrieve the session data
with just the SID.
All the best,
~ David
session within secure cookies - this makes the sesssion retrieval far
faster as the client sends their session data along with each request,
rather than us having to go to memcache (or worse, the datastore) to
get the session information. Unfortunately, if the session is only
stored in a cookie, then you can't load the session by SID since
cookies are stored solely with the client.
However, you can workaround this problem without losing the
substantial benefit of cookie-only sessions. Before you send the SID
to your Adobe Air app, you just need to force the session to be
persisted to the datastore/memcache so that your Adobe Air application
can retrieve the session data by SID. To do this, you need to mark
the session as "dirty" (otherwise save() won't do anything) - you can
do this by simply setting session.dirty = True. Next, you need to
force the session to be persisted server-side this once - you can do
this by calling session.save(persist_even_if_using_cookie=True).
Now, when your adobe air will be able to retrieve the session data
with just the SID.
All the best,
~ David
Paul Carvill
Dec 8, 2010, 8:04:33 AM12/8/10
to gae-sessions
my code:
# adobe air client authenticates by POST over SSL
class GetWebSessionKeyHandler(webapp.RequestHandler):
def post(self):
key = self.request.get('key')
secret = self.request.get('secret')
user = getUser(key, secret)
if user:
session = get_current_session()
session.start(expiration_ts=int(time.time()+30))
session['user'] = user
self.response.out.write(session.getSid())
else:
pass
# return unauthorised error
# adobe air client takes SID and makes a new request via a browser,
using the SID returned above as a token
class StartWebSessionHandler(webapp.RequestHandler):
def get(self):
webSessionKey = self.request.get('webSessionKey')
target = self.request.get('target')
session = Session(sid=webSessionKey)
if session.is_active()
session.regenerate_id()
self.redirect('%s' % target)
else:
self.redirect('/signin')
class TargetHandler(webapp.RequestHandler):
def get(self):
session = get_current_session()
logging.info(session) # always returns 'uninitialized session'
upon redirect to target, the session is always reported as being
uninitialized.
any ideas would be very welcome.
cheers,
paul
# adobe air client authenticates by POST over SSL
class GetWebSessionKeyHandler(webapp.RequestHandler):
def post(self):
key = self.request.get('key')
secret = self.request.get('secret')
user = getUser(key, secret)
if user:
session = get_current_session()
session.start(expiration_ts=int(time.time()+30))
session['user'] = user
self.response.out.write(session.getSid())
else:
pass
# return unauthorised error
# adobe air client takes SID and makes a new request via a browser,
using the SID returned above as a token
class StartWebSessionHandler(webapp.RequestHandler):
def get(self):
webSessionKey = self.request.get('webSessionKey')
target = self.request.get('target')
session = Session(sid=webSessionKey)
if session.is_active()
session.regenerate_id()
self.redirect('%s' % target)
else:
self.redirect('/signin')
class TargetHandler(webapp.RequestHandler):
def get(self):
session = get_current_session()
logging.info(session) # always returns 'uninitialized session'
upon redirect to target, the session is always reported as being
uninitialized.
any ideas would be very welcome.
cheers,
paul
Paul Carvill
Dec 8, 2010, 7:36:17 AM12/8/10
to gae-sessions
Hi David,
Thanks for your reply. I've come back to this after a long time away!
It seems to me the problem with instantiating Session with a supplied
SID e.g.
session = Session(sid=foo)
is that in the response no cookie headers are set. I've traced through
fetching a session with a supplied SID, through my_start_response and
into make_cookie_headers, where:
if not self.sid
resolves to True and results in the cookie being expired, so the
client effectively has no connection with the session, whatever you do
to the session e.g. mark it as dirty, force it to persist to the
datastore etc.
I'll pull out some code and add it here next.
Thanks for your reply. I've come back to this after a long time away!
It seems to me the problem with instantiating Session with a supplied
SID e.g.
session = Session(sid=foo)
is that in the response no cookie headers are set. I've traced through
fetching a session with a supplied SID, through my_start_response and
into make_cookie_headers, where:
if not self.sid
resolves to True and results in the cookie being expired, so the
client effectively has no connection with the session, whatever you do
to the session e.g. mark it as dirty, force it to persist to the
datastore etc.
I'll pull out some code and add it here next.
David Underhill
Dec 8, 2010, 4:43:24 PM12/8/10
to gae-se...@googlegroups.com
Paul,
The session library keeps the automatically loaded (based on cookies) session (if any) in a "_current_session" variable. At the end of a request, the middleware checks this variable and, if needed, sends the appropriate cookies to the client.
However, when you manually retrieve a session by SID, this _current_session variable is unaffected. As a result, in your code the middleware doesn't have anything to send to the client. The easiest way to make your manually retrieved session output the appropriate cookie headers is to manually run this code:
for ch in session.make_cookie_headers():
self.response.headers.add_header('Set-Cookie', ch)
This is essentially what the middleware does for you (except when you manually retrieve a session by SID).
~ David
Reply all
Reply to author
Forward
0 new messages