>True. The fun thing about the recipe is that it produces keys that are >so unique that they do not need to be checked against a db. That's >where the performance benefit comes from. And I think not checking >against a db is the "other context" mentioned in the ticket.
Actually it doesn't. It depends on the used IP - and that doesn't necessarily be unique, if for example people run servers behind a front apache inside of the DMZ and use private-range addresses there. To guarantee uniqueness you wouldn't use IP adresses but would use namespaces - like domain names with host names where you are sure to use a domain only you control. And you want to throw in a cryptographic signature to make sure that nobody can tamper with GUIDs by just using your domain. Oh, and due to the added md5 hexdigest the "guaranteed uniqueness" isn't really realiable. I still remember the days when PGP switched to an extended key ID format, because the old one produced duplicates, and I still remember people to produce keys with identical fingerprint. Actually MD5 nowadays isn't really reliable anyway, so it should be used at best only for it's good bit-change-spreading behaviour (that's what it is used for in Django). >Where do you do session cleanup? Are you using a simple bash/cron job >or is it something that should be running within django? Just a simple cronjob with an SQL statement that blows away outdated sessions. bye, Georg
