On Wednesday, January 8, 2014 10:41:49 PM UTC+1, Wonton wrote: > > Hello everyone, > > I'm trying to implement the web2py recipes to improve the efficiency and > security of my backend. I'm beggining with sessions and I have a couple of > doubts: > > - My site is over SSL and has user authentication, so I guess I should > secure my sessions. The recipe sais "In your applications, if they require > authentication, you should make the session cookies secure > with:session.secure()", > but, where should I put that code? >
session.secure() just adds secure to the cookies. If all your site is behind ssl, then put session.secure() in a model, so every session will have this "flag" set. > - The number of session files of my server is growing quickly so I should > use the sessions2trash.py script, but, how should I use that script? > Should I create a cron task in my server that execute each day something > like this "python web2py.py -S app -M -R scripts/sessions2trash.py -A -o > -x 3600 -f"? > this is a two-sided question: if your sessions are growing because they are never deleted then sure, use the script as a cron task (the setup with nginx does it for you for the welcome app automatically https://github.com/web2py/web2py/blob/master/scripts/setup-web2py-nginx-uwsgi-ubuntu.sh#L145 using uwsgi cron facilities ) if instead they're growing because lots of different users access the application that needs them, you can't absolutely do nothing, except following some best practices on using separate=True to avoid having speed penalties from the underlying filesystem (for tenths of thousands of session files) or adopt the redis backend, that can handle millions of sessions very quickly. All of this is largely documented on the book at http://web2py.com/books/default/chapter/29/13/deployment-recipes Please note that with your commandline you'll delete sessions older than an hour, regardless of the expiration: this means that your users will have to logon after 1 hour of no activity, and that **could** be seen as a bummer. > > Thank you very much and kind regards! > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
