Home

gae-sessions provides a fast, lightweight Sessions middleware for Google App Engine using memcache+datastore for Python. See the readme for more information about the project and how to use it.

Useful Links

• The readme explains how to install and use gae-sessions.
• See how it compares to other session libraries.
• View the documentation.
• The library is tested with significant functionality tests (test coverage data).
• If you have questions or need help, try posting to the gae-sessions group at gae-sessions@googlegroups.com or visiting the google group webpage.

Release Notes

v1.07 (tgz | zip)

• Add support for expiring cookie sessions when the browser closes.
• Add the Vary header when appropriate (enables users to also use Django cache middleware).
  • Thanks to Elias Naur for providing the patch for both of the above improvements.
• gae-sessions is now thread-safe.
  • Thanks to Sylvain for suggesting this.
• Corrupt session data is now handled more gracefully.
  • Thanks to Chris for suggesting a patch to accomplish this.
• Add set_current_session()
  • Thanks to Calvin for the initial implementation of this method.

v1.06 (tgz | zip)

• memcache keys associated with sessions now expire when the associated session expires.
  • In the past, they would remain until memcache evicted them.
  • Thanks to Anton for reporting this issue.

v1.05 (tgz | zip)

• Resolved Issue #10 / Add new option which instructs the client to only send session cookies over a secure channel.
  • Thanks to msmart for suggesting this.

v1.04 (tgz | zip)

• Resolved Issue #8 / GAE 1.3.6 compatibility: explicitly specify namespace for all datastore/memcache operations.
  • Thanks to owebeeone for suggesting this.
  • This ensures session data is always stored and retrieved from the same namespace.

v1.03 (tgz | zip)

• Compatibility fix: Internet Explorer no longer discards gae-sessions cookies when the browser is closed.
  • Apparently, IE requires cookie expirations to be specified in GMT (v1.02 specified them in PST).
• Security improvement: gae-sessions’ cookies now specify HttpOnly which instructs browsers to make them inaccessible to JavaScript. This helps prevent some XSS attacks (details here).

v1.02 (tgz | zip)

• Bug fix: The sessions cleanup method would fail if there were >500 expired sessions.

v1.01 (tgz | zip)

• Added DjangoSessionMiddleware – enable Django users to use gae-sessions.

v1.0 (tgz | zip)

• Secure cookies are now used for small sessions. This is 10-100x faster!
  • This feature may disabled by passing cookie_only_threshold=0 to SessionMiddleware.
• Pickle format v2 is now used. This improves performance a bit.
• Added significant tests to automatically verify correctness as best as possible.
• Expiration times are now specified as UNIX timestamps (instead of datetime objects).
• The memcache_only option is now called no_datastore.
• Several other minor code improvements.

v0.9 (download)

• Added a memcache_only option (defaults to False).
• SessionMiddleware.__init__() now takes configuration parameters (see the readme for details).
  • In the past, you had to edit the source to change the configuration.
• Performance fix: if set_quick() was called multiple times, data might be persisted to the datastore unnecessarily.

v0.8

• Refactored user_is_now_logged_in() to regenerate_id() and documented it in the readme.
• Fixed a regression in v0.7 which caused old session data to be deleted when changing session IDs.
• set_quick() now starts a new session if one isn’t currently active – just like __setitem__().
• Documentation strings have been improved
• Support has been added for generating documentation via sphinx.

v0.7

• Session data is now lazily loaded. If you don’t read/write it, no overhead is added.
• Expiration date handling has been improved.
  • Starting in v0.5, expiration time is in the sid, so there is no need to also store it in the session data.

v0.6

• Added clear() method to Session.
• Cleanly handle bogus cookies which specify session ID to be the empty string.
• Session data can now be retrieved manually (via session ID).

v0.5

• Resolved Issue #2 : added support for cleaning up expired sessions from the datastore.
  • Thanks to Amir Shimoni for suggesting this
• Added a demo cronjob which uses the provided cleanup function to remove expired sessions daily.
• Fix regression in v0.04 which caused the datastore to never be used (oops).

v0.4

• Added support for “quick” methods which only save changes to memcache (avoiding a datastore put).
• Added a new demo which uses Google Accounts for authentication.
• The original demo now works regardless of what port the development server is running on.

v0.3

• Cleanly handle any db.delete() failure (could occur if the datastore goes into read-only mode, etc.)
• Fixed Issue #1 : A license is now specified (Apache License v2).

v0.2

• Initial Beta Release