tags:

views:

844

answers:

4
+1  Q: 

Django, mod_python, apache and wacky sessions

I am running a Django through mod_python on Apache on a linux box. I have a custom authentication backend, and middleware that requires authentication for all pages, except static content.

My problem is that after I log in, I will still randomly get the log in screen now and again. It seems to me that each apache process has it's own python process, which in turn has it's own internals. So as long as I get served by the same process I logged in to, everything is fine and dandy. But if my request gets served by a different apache process, I am no longer authenticated.

I have checked the HTTP headers I send with FireBug, and they are the same each time, ie. same cookie.

Is this a known issue and are there workarounds/fixes?

Edit: I have a page that displays a lot of generated images. Some off these will not display. This is because they are too behind the authenticating middleware, so they will randomly put up a login image. However, refreshing this page enough times, and it will eventually work, meaning all processes recognize my session.

A: 

Do you have standard database-driven sessions? Is caching enabled in settings?

ilvar  2008-10-03 12:04:32
Same error with both standard and file based sessions. No caching enabled.
Staale  2008-10-03 12:21:34
+1  A: 

You are correct about how Apache handles the processes, and sometimes you'll get served by a different process. You can see this when you make a change to your site; new processes will pick up the change, but old processes will give you the old site. To get consistency, you have to restart Apache.

Assuming a restart doesn't fix the problem, I would guess it's something in the "custom authentication backend" storing part of the authentication in memory (which won't work very well for a web server). I would try setting MaxRequestsPerChild to 1 in your Apache config and seeing if you still get the login screen. If you do, something is being stored in memory, maybe a model not being saved?

Hope that helps!

P.S. Just out of curiosity, why are you using a custom authentication backend and a middleware to ensure the user is logged in? It seems Django's contrib.auth and @login_required would be easier...

tghw  2008-10-03 12:15:14
I need to authenticate against active directory, hence my own authentication backend. Nothing is stored in memory. I am not using @login_required because this is for an intranet available externally, and I don't trust myself to remember to put that on all views
Staale  2008-10-03 12:23:35
Authentication based off this: http://www.djangosnippets.org/snippets/501/
Staale  2008-10-03 12:24:27
What does setting MaxRequestsPerChild to 1 do?
tghw  2008-10-03 15:54:40
Sorry, didn't get to test that, and now I won't be able to until monday. Thanks for the advice at least, I will try it out.
Staale  2008-10-03 19:04:24
Let me know how it goes
tghw  2008-10-06 23:36:18
A: 

I highly recommend you don't set MaxRequestsPerChild to 1, as that would cause so much overhead as each process gets killed off and respawns with every request.

Are you using apaches preform MPM or worker MPM?

Take a look at http://docs.djangoproject.com/en/dev/howto/deployment/modpython/?from=olddocs that may give you some help

jlintz  2008-10-05 04:00:50
A: 

If you are using some global variables to hold data of your custom authentication session, you need to change this to use either file, database or memcached. As stated above mod_python launches few processes and there's no shared memory between them.

I recommend using memcached for this, also use cookies to store session ID or pass it with as GET parameter so that later you can easily extract session data from the cache.

Bartosz Ptaszynski  2009-03-30 21:12:26

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP