Issue #406 resolved

pluggable generateSessionID() for SessionFilter

created an issue

The current (r860) SessionFilter implementation is a good start. One possible improvement might be to allow users to specify the desired session ID generation function in a site's config file/dict, which would allow users of the default session implementation to reap at least the following benefits:

  1. liberation from current paltry limit of roughly 1e12 possible session id's.BR
  2. use of possibly-more-robust generation mechanisms such as [ mxUID].BR
  3. ability to sleep at night thanks to the peace of mind granted by the knowledge that one's widgets are properly frobbing the wozzle.BR

Comments (2)

  1. Anonymous

    I don't think this is an important feature (read below), but it is currently possible. It requires a simple but unrecommendable hack.

    def my_key_generator():
        return 1234
    # this constitutes major abuse of the Python language
    import cherrypy.filters.sessionfilter
    cherrypy.filters.sessionfilter.generate_session_id = key_generator

    1e12 is the approximate limit on systems where python floats are 40 bits. The limit will be exponentially larger on architectures with higher precision floats. It would take 36.0 terabytes of memory just to store 1e12 session keys (as ASCII encoded sha1 sums), not included the actual session data. A trillion possible session keys should be sufficient for any CherryPy application.

    The session code isn't deeply integrated into the server, it is an independent component that is bundled with the server. So it should be very easy to customize to a specific application.

    The session filter I wrote once upon a time, had support for user defined session key generators, along with a million other features most people will never use. There just isn't enough demand for this to justify the added complexity.

  2. Log in to comment