Why does WebApp2 auth.get_user_by_session() change the token?

Question

I am using WebApp2 with auth for user sessions. My client will occasionally make nearly simultaneous requests to the server. The first one will make a request with session data that looks like this:

{
 'cache_ts': 1408106895, 
 'token': u'GXpsaVQh5ZWtqxJMUBpGTr', 
 'user_id': 5690665774088192L, 
 'remember': 1, 
 'token_ts': 1408034938
}

Then after a call to auth.get_user_by_session(), the session comes back like this:

{
 'cache_ts': 1408124980, 
 'token': u'0IVduczdGR5PkrMqNhBvzW', 
 'user_id': 5690665774088192L, 
 'remember': 1, 
 'token_ts': 1408124980
}

As you can see the token has been changed, and the timestamps updated.

Nearly simutaneously, another request is made that contains the same initial session data.

{
 'cache_ts': 1408106895, 
 'token': u'GXpsaVQh5ZWtqxJMUBpGTr', 
 'user_id': 5690665774088192L, 
 'remember': 1, 
 'token_ts': 1408034938
}

However, that token is now invalid, so the session data is set to None. This wipes the users session, and causes lots of problems. Is there some setting I should be using to extend the life of the UserToken? Is there a more appropriate method than get_user_by_session()? I woud imagine that nearly simultaneous requests with the same session data shouldn't cause enormous issues. The ideal situation would be that if auth received invalid or expired tokens it would just ignore them, and throw an error.

Update 1

Hoped it was something simple like passing False to get_user_by_session(). That of course killed the session immediately.

Update 2

I've found that I only really need the user_id field, and that comes for free with the cookie data. Implementing that reduces the frequency of the issue. However the problem isn't actually fixed, and I'd love some input from anyone with familiarity of this library.

Why does WebApp2 auth.get_user_by_session() change the token?

Answers (1)

Related Questions