Ability to have more than one cookie per domain (vary the path)

[wreleven]

It would he handy to pass in a cookie_path variable to the SessionMiddleware to allow for multiple cookies / cookie_keys to be used on the same domain.

My case: I have a web app that has two distinct areas that required different security settings. One area doesn't allow session data to be stored in a cookie while the other one does. I am currently setting cookie_key to a different values but by doing so the first / alternative session get squashed.

If you have any suggestions - I'm all ears :)

[dound]

Interesting use case. This would be a bit of a complicated change to the source, but there is a cheap trick you could do to make this happen (see my next post for a proper solution): copy the library into a new module (e.g., gaessions2), refactor SessionModel to SessionModel2, prefix all memcache keys with "g2", and replace COOKIE_NAME_PREFIX with "g2".

Configure one copy of the library to use secure cookies and the other copy of the library to use datastore/memcache only. Then each area of your website can use the appropriate copy of the library.

This certainly isn't elegant, but it's relatively straightforward :).

[wreleven]

That would work in the pinch for sure. Hrm - I see what you mean module wise though, would require a wee bit of work.

[dound]

Here's a more proper solution (which really isn't any harder than the hack above). Configure the SessionMiddleware for the part of the website which allows secure cookies.

Subclass SessionMiddleware and dynamically change cookie_only_threshold based on which section of the site you're in.

You'll also need to modify the source so that the session middleware can instruct the Session object what COOKIE_NAME_PREFIX it should use. Currently this value is just a global "constant" so you'll have to change that (and the other global "constants" which rely on it). This shouldn't be too hard, but let me know if you get stuck.

Dynamically choosing and applying the COOKIE_NAME_PREFIX should have a negligible performance impact, so if you come up with a patch perhaps we could work it in to the repo for wider distribution.

[wreleven]

Thank you for the detail - I do appreciate it. I'll stake a stab at it tomorrow and see how it goes. Thank you again and if I come up with something good I'll msg you back.

[wreleven]

I already use different "applications" so I don't need to dynamically adjust the cookie_only_threshold but I will check out what the COOKIE_NAME_PREFIX will do for me. It's way to late to think clearly but I feel like COOKIE_PATH could also be used to identify different cookies if I combined COOKIE_PATH and COOKIE_NAME_PREFIX as a key.