[Web-SIG] Standardised configuration.

Alan Kennedy py-web-sig at xhaus.com
Mon Sep 6 15:30:00 CEST 2004 

[Alan Kennedy]
 >> I originally thought that option B was the best, but now I think
 >> differently. And from what I read from your post, Paul, I think
 >> we're in agreement.

[Paul Boddie]
 > Are we? ;-) Certain things like sessions are most likely to be
 > configured in the server environment. In Tomcat, for example, that
 > would be in one of the XML configuration files, but for something
 > like Apache/mod_python it would be nicest to use httpd.conf or a
 > related file, and Webware and Zope store sessions in their own
 > particular way - note that Zope uses its own special mechanisms
 > which might not correspond exactly with the conceptual model you
 > envisage.

Ah, now we're getting somewhere.

I think that session handling is an excellent example against which to 
have this discussion. Note however that I am *not* advocating 
standardising session management under WSGI.

J2EE session handling is generally a huge PITA, primarily because the 
base unit of session management is the servlet context, i.e. every 
servlet context gets its own "session space". For example

'/forms' may map to one session space, while
'/news' may map to a different session space.

Any given user may have multiple sessions on a server, depending on the 
number of servlets they have interacted with. It is generally not 
possible, except using container specific methods, to have a single 
"uber-session" which concentrates all user session data into a single 
object. This "hierarchy problem" makes it difficult, and extremely 
container-specific, to manage a single set of users across a set of J2EE 
servlets.

Most J2EE containers support both cookies and URL rewriting for session 
management, i.e. if the user-agent has cookies disabled, then all urls 
are rewritten to contain sessions IDs. Which means that the url 
rewriting algorithm has to be aware of multiple servlet contexts, and 
rewrite local urls to contain the session ID which is specific to the 
target context/servlet.

Some J2EE containers support a "Single Sign On" facility, where the 
container manages the multiple session objects on the applications 
behalf, and makes it easy for the user (but not the programer) by only 
making them sign on to a server once. Tomcat does this using an extra 
cookie, the SSO cookie, which is transmitted to user-agents *as well as* 
the per-servlet cookie, i.e. the user-agent receives two cookies from 
the container. Worse, the Tomcat Single-Sign-On facility does not 
support URL rewriting: the user-agent *must* have cookies enabled in 
order for single sign on to work. Which sucks.

I think that if WSGI applications were to rely on the local 
platform/container session management facilities, it is extremely 
unlikely that they would be portable. It's difficult enough to get 
coherent cross-servlet session-handling working on J2EE when writing in 
java, as these pages show

http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/host.html#Single%20Sign%20On
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/valve.html#Single%20Sign%20On%20Valve
http://www.fwd.at/tomcat/sharing-session-data-howto.html

Imagine the complications if the application code were originally 
written to work with say, WebWare under cpython?

To me, session handling is one of those things that is done in so many 
different ways by so many different platforms/containers that it is 
impractical to achieve application portability once a particular 
methodology has been chosen.

So, IMHO, session handling is one of those "should be simple" areas of 
web programming that gets horrifically complicated when trying to move 
applications between platforms/containers: in fact I'd go so far as to 
say the multiple session handling techniques is one of the primary 
reasons why the python web world is currently so fragmented: every 
framework author thinks they know best: although some do it much better 
than others. I like webwares method of using URL path parameters, with a 
auto-refresh if a request is received that doesn't contain a session ID. 
But IIRC, this method is quite Apache specific, and requires 
modification of the Apache httpd.conf to get working. I could be wrong 
though.

It is important to note that I am *not* advocating standardising session 
management under WSGI: far from it. But what I am advocating is trying 
to make it as easy as possible for session-handling middleware 
components to be as portable between WSGI servers as possible. WSGI, as 
it currently stands, makes it far easier to do this than any other 
approach: I'm just trying to foresee and eliminate the last few % that 
stands in the way of 100% portability.

Regards,

Alan.

More information about the Web-SIG mailing list