Ticket #416 (defect)
Opened 3 years ago
Last modified 3 years ago
favicon.ico handling causes resource leak in session management
Status: closed (fixed)
| Reported by: | anonymous | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | CherryPy code | Keywords: | |
| Cc: |
I'm using cherrypy 2.1 with the PostgreSQL session backend and mod_python with the mpcp connector.
An HTTP GET request for /favicon.ico unaccompanied by a sessionID cookie causes a new session to be generated and stored in the database. Certain web browsers like Opera may make a new request for /favicon.ico unaccompanied by a sessionID cookie each time a user refreshes a page, e.g.:
T 127.0.0.1:49561 -> 127.0.0.1:80 [AP] GET /favicon.ico HTTP/1.1. User-Agent: Mozilla/5.0 (X11; Linux i686; U; en) Opera 8.51. Host: localhost. Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1. Accept-Language: en. Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1. Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0. Referer: http://localhost/. Cache-Control: no-cache. Connection: Keep-Alive, TE. TE: deflate, gzip, chunked, identity, trailers. .
versus Firefox:
T 127.0.0.1:49573 -> 127.0.0.1:80 [AP] GET /favicon.ico HTTP/1.1. Host: localhost. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5. Accept: image/png,*/*;q=0.5. Accept-Language: en-us,en;q=0.5. Accept-Encoding: gzip,deflate. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7. Keep-Alive: 300. Connection: keep-alive. Cookie: sessionID=49550d6e243eb95be451bc60ba3293e71ce9b786. .
Opera's behavior causes a new row to be added to the session table for each /favicon.ico request. Thus, each time an Opera user refreshes a page, a resource leak occurs which isn't cleaned up until the next time cherrypy deletes expired sessions.
Change History
12/28/05 18:51:50: Modified by anonymous
12/29/05 10:53:42: Modified by rdelon
- status changed from new to closed.
- resolution set to fixed.
Fixed in [892]
12/29/05 12:35:17: Modified by fumanchu
Just a note that the fix changes the behavior: previously, any path that ended with "favicon.ico" would be served the default (so that subpaths within a site would also get favicons); now, only the root favicon is served. :/
Index: trunk/cherrypy/filters/sessionfilter.py =================================================================== --- trunk/cherrypy/filters/sessionfilter.py (revision 889) +++ trunk/cherrypy/filters/sessionfilter.py (working copy) @@ -84,7 +84,17 @@ storage = conf('session_filter.storage_type', 'Ram') storage = storage[0].upper() + storage[1:] - + + if cherrypy.request.object_path == '/favicon.ico': + crh = cherrypy.request.headers + for k,v in crh.items(): + if k.lower() == 'user-agent': + if ' opera ' in v.lower(): + if cookieName not in cherrypy.request.simpleCookie: + # opera is requesting /favicon.ico without + # presenting a session cookie + return + # People can set their own custom class # through session_filter.storage_class sess.sessionStorage = conf('session_filter.storage_class', None)