Ticket #792 (defect)
Opened 4 months ago
Last modified 4 months ago
Invalid session id in cookie
Status: closed (fixed)
| Reported by: | ppchan | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.1 |
| Component: | CherryPy code | Keywords: | backport |
| Cc: |
On Windows environment,
tools.sessions.storage_path = "c:/dev/sessions"
causes cp throw an HTTPError.
400 Bad Request Invalid session id in cookie.
The cause is:
session.py line 305: f = os.path.join(self.storage_path, self.SESSION_PREFIX + self.id) line 306: if not os.path.normpath(f).startswith(self.storage_path):
os.path.join uses 2 backslashes '\\' to join the pathnames. os.path.normpath(), however, uses forward slash '/' as path separator. The startswith on line 306 will never give True in this case.
Change History
02/29/08 11:32:17: Modified by fumanchu
- status changed from new to closed.
- description changed.
- priority changed from high to normal.
- milestone set to 3.1.
- keywords changed from sessions.py to backport.
- resolution set to fixed.
os.path.join only uses 2 backslashes because you're on Windows; it's platform-dependent. normpath does *not* use forward-slash; it is also platform-dependent. The real problem is that self.storage_path is not normpath'ed before comparing it to another normalized path:
Fixed in trunk in [1904] (abspath calls normpath). Until it's backported, other versions should just enter Windows paths with the proper double-backslashes as separators.