dound edited this page Jul 3, 2011 · 31 revisions
Clone this wiki locally

gae-sessions provides a fast, lightweight Sessions middleware for Google App Engine using memcache+datastore for Python. See the readme for more information about the project and how to use it.

Useful Links

Release Notes

v1.07 (tgz | zip)

  • Add support for expiring cookie sessions when the browser closes.
  • Add the Vary header when appropriate (enables users to also use Django cache middleware).
    • Thanks to Elias Naur for providing the patch for both of the above improvements.
  • gae-sessions is now thread-safe.
    • Thanks to Sylvain for suggesting this.
  • Corrupt session data is now handled more gracefully.
    • Thanks to Chris for suggesting a patch to accomplish this.
  • Add set_current_session()
    • Thanks to Calvin for the initial implementation of this method.

v1.06 (tgz | zip)

  • memcache keys associated with sessions now expire when the associated session expires.
    • In the past, they would remain until memcache evicted them.
    • Thanks to Anton for reporting this issue.

v1.05 (tgz | zip)

  • Resolved Issue #10 / Add new option which instructs the client to only send session cookies over a secure channel.
    • Thanks to msmart for suggesting this.

v1.04 (tgz | zip)

  • Resolved Issue #8 / GAE 1.3.6 compatibility: explicitly specify namespace for all datastore/memcache operations.
    • Thanks to owebeeone for suggesting this.
    • This ensures session data is always stored and retrieved from the same namespace.

v1.03 (tgz | zip)

  • Compatibility fix: Internet Explorer no longer discards gae-sessions cookies when the browser is closed.
    • Apparently, IE requires cookie expirations to be specified in GMT (v1.02 specified them in PST).
  • Security improvement: gae-sessions’ cookies now specify HttpOnly which instructs browsers to make them inaccessible to JavaScript. This helps prevent some XSS attacks (details here).

v1.02 (tgz | zip)

  • Bug fix: The sessions cleanup method would fail if there were >500 expired sessions.

v1.01 (tgz | zip)

  • Added DjangoSessionMiddleware – enable Django users to use gae-sessions.

v1.0 (tgz | zip)

  • Secure cookies are now used for small sessions. This is 10-100x faster!
    • This feature may disabled by passing cookie_only_threshold=0 to SessionMiddleware.
  • Pickle format v2 is now used. This improves performance a bit.
  • Added significant tests to automatically verify correctness as best as possible.
  • Expiration times are now specified as UNIX timestamps (instead of datetime objects).
  • The memcache_only option is now called no_datastore.
  • Several other minor code improvements.

v0.9 (download)

  • Added a memcache_only option (defaults to False).
  • SessionMiddleware.__init__() now takes configuration parameters (see the readme for details).
    • In the past, you had to edit the source to change the configuration.
  • Performance fix: if set_quick() was called multiple times, data might be persisted to the datastore unnecessarily.


  • Refactored user_is_now_logged_in() to regenerate_id() and documented it in the readme.
  • Fixed a regression in v0.7 which caused old session data to be deleted when changing session IDs.
  • set_quick() now starts a new session if one isn’t currently active – just like __setitem__().
  • Documentation strings have been improved
  • Support has been added for generating documentation via sphinx.


  • Session data is now lazily loaded. If you don’t read/write it, no overhead is added.
  • Expiration date handling has been improved.
    • Starting in v0.5, expiration time is in the sid, so there is no need to also store it in the session data.


  • Added clear() method to Session.
  • Cleanly handle bogus cookies which specify session ID to be the empty string.
  • Session data can now be retrieved manually (via session ID).


  • Resolved Issue #2 : added support for cleaning up expired sessions from the datastore.
  • Added a demo cronjob which uses the provided cleanup function to remove expired sessions daily.
  • Fix regression in v0.04 which caused the datastore to never be used (oops).


  • Added support for “quick” methods which only save changes to memcache (avoiding a datastore put).
  • Added a new demo which uses Google Accounts for authentication.
  • The original demo now works regardless of what port the development server is running on.


  • Cleanly handle any db.delete() failure (could occur if the datastore goes into read-only mode, etc.)
  • Fixed Issue #1 : A license is now specified (Apache License v2).


  • Initial Beta Release