From 3a590f58b8dc36e353227ec38cfd1e5dc289baca Mon Sep 17 00:00:00 2001 From: Neil Schemenauer Date: Thu, 23 Nov 2017 09:51:25 -0800 Subject: [PATCH] Revise session-mgmt.txt, session ID format has changed. --- doc/session-mgmt.txt | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/session-mgmt.txt b/doc/session-mgmt.txt index 406f4e5..40b357a 100644 --- a/doc/session-mgmt.txt +++ b/doc/session-mgmt.txt @@ -27,20 +27,20 @@ In a nutshell, session management with Quixote works like this: * when a user-agent first requests a page from a Quixote application that implements session management, Quixote creates a Session object - and generates a session ID (a random 64-bit number). The Session + and generates a session ID (a random 128-bit number). The Session object is attached to the current HTTPRequest object, so that application code involved in processing this request has access to - the Session object. The get_session() function provides uniform - access to the current Session object. + the Session object. The quixote.get_session() function provides + uniform access to the current Session object. * if, at the end of processing that request, the application code has stored any information in the Session object, Quixote saves the session in its SessionManager object for use by future requests and sends a session cookie, called ``QX_session`` by default, to the user. - The session cookie contains the session ID encoded as a hexadecimal - string, and is included in the response headers, eg. :: + The session cookie contains the session ID encoded as a URL-safe + base-64 string, and is included in the response headers, eg. :: - Set-Cookie: QX_session="928F82A9B8FA92FD" + Set-Cookie: QX_session="pJX1bU47T-6hbfjP2f5pPA" (You can instruct Quixote to specify the domain and path for URLs to which this cookie should be sent.) @@ -51,7 +51,7 @@ In a nutshell, session management with Quixote works like this: cookie's domain and path, it includes the ``QX_session`` cookie previously generated by Quixote in the request headers, eg.:: - Cookie: QX_session="928F82A9B8FA92FD" + Cookie: QX_session="pJX1bU47T-6hbfjP2f5pPA" * while processing the request, Quixote decodes the session ID and looks up the corresponding Session object in its SessionManager. If @@ -166,7 +166,7 @@ For example, if the client requests ``/foo/bar/`` from www.example.com, and Quixote decides that it must set the session cookie in the response to that request, then the server would send :: - Set-Cookie: QX_session="928F82A9B8FA92FD" + Set-Cookie: QX_session="pJX1bU47T-6hbfjP2f5pPA" in the response headers. Since no domain or path were specified with that cookie, the browser will only include the cookie with requests to @@ -180,7 +180,7 @@ config file:: which will cause Quixote to set the cookie like this:: - Set-Cookie: QX_session="928F82A9B8FA92FD"; Path="/" + Set-Cookie: QX_session="pJX1bU47T-6hbfjP2f5pPA"; Path="/" which will instruct the browser to include that cookie with *all* requests to www.example.com.