Upgrading to Quixote 0.5 Session Management =========================================== The Quixote session management interface underwent lots of change and cleanup with Quixote 0.5. It was previously undocumented (apart from docstrings in the code), so we thought that this was a good opportunity to clean up the interface. Nevertheless, those brave souls who got session management working just by reading the code are in for a bit of suffering; this brief note should help clarify things. The definitive documentation for session management is session-mgmt.txt -- you should start there. Attribute renamings and pickled objects --------------------------------------- Most attributes of the standard Session class were made private in order to reduce collisions with subclasses. The downside is that pickled Session objects will break. You might want to (temporarily) modify session.py and add this method to Session:: def __setstate__ (self, dict): # Update for attribute renamings made in rev. 1.51.2.3 # (between Quixote 0.4.7 and 0.5). self.__dict__.update(dict) if hasattr(self, 'remote_address'): self.__remote_address = self.remote_address del self.remote_address if hasattr(self, 'creation_time'): self.__creation_time = self.creation_time del self.creation_time if hasattr(self, 'access_time'): self.__access_time = self.access_time del self.access_time if hasattr(self, 'form_tokens'): self._form_tokens = self.form_tokens del self.form_tokens However, if your sessions were pickled via ZODB, this may not work. (It didn't work for us.) In that case, you'll have to add something like this to your class that inherits from both ZODB's Persistent and Quixote's Session:: def __setstate__ (self, dict): # Blechhh! This doesn't work if I put it in Quixote's # session.py, so I have to second-guess how Python # treats "__" attribute names. self.__dict__.update(dict) if hasattr(self, 'remote_address'): self._Session__remote_address = self.remote_address del self.remote_address if hasattr(self, 'creation_time'): self._Session__creation_time = self.creation_time del self.creation_time if hasattr(self, 'access_time'): self._Session__access_time = self.access_time del self.access_time if hasattr(self, 'form_tokens'): self._form_tokens = self.form_tokens del self.form_tokens It's not pretty, but it worked for us. Cookie domains and paths ------------------------ The session cookie config variables -- ``COOKIE_NAME``, ``COOKIE_DOMAIN``, and ``COOKIE_PATH`` -- have been renamed to ``SESSION_COOKIE_*`` for clarity. If you previously set the config variable ``COOKIE_DOMAIN`` to the name of your server, this is most likely no longer necessary -- it's now fine to leave ``SESSION_COOKIE_DOMAIN`` unset (ie. ``None``), which ultimately means browsers will only include the session cookie in requests to the same server that sent it to them in the first place. If you previously set ``COOKIE_PATH``, then you should probably preserve your setting as ``SESSION_COOKIE_PATH``. The default of ``None`` means that browsers will only send session cookies with requests for URIs under the URI that originally resulted in the session cookie being sent. See session-mgmt.txt and RFCs 2109 and 2965. If you previously set ``COOKIE_NAME``, change it to ``SESSION_COOKIE_NAME``. $Id: session-upgrade.txt,v 1.6 2002/10/02 15:32:22 gward Exp $