Changes in Beaker

Release 1.10.0 (2018-06-04)

  • Redis namespace manager now supports providing a TTL for session entries that had a timeout provided. This will remove the need to manually clear expired sessions from the redis storage.
  • nsscrypto backend is now properly identified as providing AES support.
  • When a crypto backend doesn’t support AES it will no longer crash if the encrypt_key is None.
  • Session cookies will now provide support for SameSite through the samesite option. By default this will be Lax, but can be set to Strict or None to disable it.

Release 1.9.1 (2018-04-09)

  • When decorating a function with @cache_region decorator the function generated to update the cached value will be named like the decorated function. So that during debugging it’s easy to know which function is involved.
  • Removed usage of async as a variable in code, this fixes a compatibility problem with Python 3.7 where it’s a keyword.
  • Fixed a race condition in FileNamespaceManager.
  • ext.database backend will now properly close connections.
  • Do not leave bhind corrupted files if FileNamespaceManager is interrupted while writing a new file. Replacing content of a file or writing a new one is now always an atomic operation.
  • DBMNamespaceManager and FileSynchronizer will now deal with directories disappearing while they try to write to them.
  • The Redis and MongoDB backends are not exposed in documentation.

Release 1.9.0 (2017-06-19)

  • Beaker now provides builtin ext:mongodb and ext:redis namespace managers. Both come with a Synchronizer implemented on the storage backend instead of relying on file one.
  • Fixed an issue where cookie options like Secure, Domain and so on where lost.
  • Improved support for cache entries expiration. NamespaceManagers that support it will expire their key automatically.
  • Pycryptodome can be used instead of pycrypto.
  • An issue with Cookie module import on case insensitive file systems should have been resolved.
  • Cryptography module is now as a crypto function provider instead of pycrypto

Release 1.8.1 (2016-10-24)

  • Sessions have a new option save_accessed_time which defaults to true for backwards compatibility. Set to false to tell beaker not to update _accessed_time if the session hasn’t been changed, for non-cookie sessions stores. This lets you avoid needless datastore writes. _accessed_time will always be updated when the session is intentionally saved.
  • data_serializer parameter in Session accepts a custom object with dumps and loads methods.
  • Fixed a TypeError in exception reporting when failing to load a NamespaceManager
  • Allow to change Cookie Expiration from a value back to None, previously it had no effect.
  • Allow SessionMiddleware to setup a custom Session class through the session_class argument.
  • Added invalidate_corrupt option to CookieSessions too for valid cookies containing invalid data.

Release 1.8.0 (2016-01-26)

  • Encrypted sessions can now specify nonce length for salt generation through encrypt_nonce_bits parameter. set it to 48 for backward compatibility with sessions generated before 1.8.0
  • kwargs support in @cache_region decorator
  • annotations support in @cache_region decorator
  • data_serializer parameter in Session can now specify json to avoid pickle security issues
  • Invalid cookies are now skipped in cookie based sessions
  • Memcached based on PyLibMC now share same connection pool for same url

Release 1.7.0 (2015-04-20)

  • Beaker no longer supports python 2.4 and 2.5
  • Beaker now supports Python 2.6, 2.7, 3.2, 3.3, 3.4 without 2to3 usage
  • Fixed Encrypted Cookie Session on Python3 #57
  • New pbkdf2 mobule working on Python3 #21
  • Fixed Test suite on Python 3.3 #53, #51

Release 1.6.5 (2015-02-06)

  • @cached decorator now keeps docstring of decorated method.
  • Fix crash when Session accessed_time is not available, this happened when session encrypt_key was changed.
  • Fix cache regions not providing a default key length even though this was required and examples in the doc didn’t provide it.
  • Fix crash when cache expire wasn’t an int, this happened when caching options were loaded from a config file.

Release 1.6.4 (8/13/2012)


Session hashing for encrypted sessions using PyCrypto has changed. This will result in sessions being invalidated upon upgrading if PyCrypto is used.

  • Fix bug with key_length not being coerced to a int for comparison. Patch by Greg Lavallee.
  • Fix bug with cookie invalidation not clearing the cookie data. Patch by Vasiliy Lozovoy.
  • Added ability to pass in cookie_path for the Session. Patch by Marcin Kuzminski.
  • Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat.
  • Fix security bug with pycrypto not securing data such that an attacker could possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of Redhat. See CVE-2012-3458.
  • Add ability to specify schema for database-backed sessions. Patch by Vladimir Tananko.
  • Fix issue with long key names in memcached backend. Patch by Guillaume Taglang.

Release 1.6.3 (2/29/2012)

  • Fix bug with cookie deletion on leap years. Patch contributed by Greg Nelson and Michael Wirth.
  • Fix issue with referencing same module via different import paths. Patch contributed by brianfrantz.
  • Fix cookie expiration check. Patch contributed by Mike Dirolf.

Release 1.6.2 (12/13/2011)

  • Updated dogpile lock so that it locks per namespace+key rather than on the entire namespace. (#101)
  • Added encryption option for any backend. Patch contributed by Toby Elliot.

Release 1.6.1 (10/20/2011)

  • Remove stray print statement.
  • Include .app for consistency instead of requiring wrap_app.

Release 1.6 (10/16/2011)

  • Fix bug with cache_key length calculation.
  • Fix bug with how path was set so that its restored properly and propagated.
  • Fix bug with CacheMiddleware clobbering enabled setting.
  • Update option for cookie_expires so that it can now handle an integer which will be used as the seconds till the cookie expires.
  • Merge fix for Issue 31, can now handle unicode cache keys.
  • Add key_length option for cache regions, and for keyword args passed into the cache system. Cache keys longer than this will be SHA’d.
  • added runtime beaker.__version__
  • Add webtest_varname option to configuration to optionally include the session value in the environ vars when using Beaker with WebTest.
  • Defer running of pkg_resources to look for external cache modules until requested. #66
  • memcached backend uses pylibmc.ThreadMappedPool to ensure thread-local usage of pylibmc when that library is in use. (#60)
  • memcached backend also has memcache_module string argument, allows direct specification of the name of which memcache backend to use.
  • Basic container/file-based Session support working in Py3K. (#72)
  • Further Python 3 fixes
  • Added an optimization to the FileNamespaceContainer when used with Session, such that the pickled contents of the file are not read a second time when is called. (#64)
  • Fixed bug whereby CacheManager.invalidate wouldn’t work for a function decorated by cache.cache(). (#61)
  • cache decorators @cache.cache(), @cache_region() won’t include first argument named ‘self’ or ‘cls’ as part of the cache key. This allows reasonably safe usage for methods as well as functions. (#55)
  • file backend no longer squashes unpickling errors. This was inconsistent behavior versus all the other backends.
  • invalidate_corrupt flag on Session now emits a warning. (#52)
  • cache.remove_value() removes the value even if it’s already marked ‘expired’ (#42)

Release 1.5.4 (6/16/2010)

  • Fix import error with InvalidCryptoBackendError.
  • Fix for domain querying on property.
  • Test cleanups
  • Fix bug with warnings preventing proper running under Jython.

Release 1.5.3 (3/2/2010)

  • Fix Python 2.4 incompatibility with google import.

Release 1.5.2 (3/1/2010)

  • pkg_resources scanning for additional Beaker back-ends gracefully handles situations where its not present (GAE). Fixes #36.
  • Avoid timing attacks on hash comparison.
  • Provide abstract base for MemoryNamespaceManager that deals with “dictionaries”.
  • Added tests for invalidating cache, and fixed bug with function cache when no args are present.
  • The SQLAlchemy backends require SQLAlchemy 0.4 or greater (0.6 recommended).
  • Rudimental Python 3 support is now available. Simply use Python 3 with Distribute and “python install” to run 2to3 automatically, or manually run 2to3 on “beaker” and “tests” to convert to a Python 3 version.
  • Added support for PyCrypto module to encrypted session, etc. in addition to the existing pycryptopp support.

Release 1.5.1 (12/17/2009)

  • Fix cache namespacing.

Release 1.5 (11/23/2009)

  • Update memcached to default to using pylibmc when available.
  • Fix bug when cache value doesn’t exist causing has_key to throw an exception rather than return False. Fixes #24.
  • Fix bug where getpid under GAE is used improperly to assume it should be a non-string. Fixes #22.
  • Add cache_region decorator that works before configuration of the cache regions have been completed for use in module-level decorations.
  • Fix bug where has_value sees the value before its removed.
  • Improved accuracy of “dogpile” checker by removing dependency on “self” attributes, which seem to be slightly unreliable in highly concurrent scenarios.

Release 1.4.2 (9/25/2009)

  • Fix bug where memcached may yank a value after the has_value but before the value can be fetched.
  • Fix properties for setting the path. Fixes #15.
  • Fix the ‘TypeError: argument must be an int, or have a fileno() method’ erorr sporadically emitted by FileSynchronizer under moderate load.

Release 1.4.1 (9/10/2009)

  • Fix verification of options to throw an error if a beaker param is an empty string.
  • Add CacheManager.invalidate function to easily invalidate cache spaces created by the use of the cache decorator.
  • Add CacheManager.region_invalidate function to easily invalidate cache spaces created by the use of the cache_region decorator.
  • Fix the InvalidCryptoBackendError exception triggering a TypeError. Patch from dz, fixes #13.

Release 1.4 (7/24/2009)

  • Fix bug with hmac on Python 2.4. Patch from toshio, closes ticket #2133 from the TurboGears2 Trac.
  • Fix bug with occasional ValueError from FileNamespaceManager.do_open. Fixes #10.
  • Fixed bug with session files being saved despite being new and not saved.
  • Fixed bug with CacheMiddleware overwriting configuration with default arguments despite prior setting.
  • Fixed bug with SyntaxError not being caught properly in entry point discovery.
  • Changed to using BlobProperty for Google Datastore.
  • Added domain/path properties to the session. This allows one to dynamically set the cookie’s domain and/or path on the fly, which will then be set on the cookie for the session.
  • Added support for cookie-based sessions in Jython via the JCE (Java Cryptography Extensions). Patch from Alex Grönholm.
  • Update Beaker database extensions to work with SQLAlchemy 0.6 PostgreSQL, and Jython.

Release 1.3.1 (5/5/2009)

  • Added a whole bunch of Sphinx documentation for the updated site.
  • Added corresponding remove as an alias to the caches remove_value.
  • Fixed cookie session not having an invalidate function.
  • Fix bug with CacheMiddleware not using proper function to load configuration options, missing the cache regions.

Release 1.3 (4/6/2009)

  • Added last_accessed attribute to session to indicate the previous time the session was last accessed.
  • Added setuptools entry points to dynamically discover additional namespace backends.
  • Fixed bug with invalidate and locks, fixes #594.
  • Added cache.cache decorator for arbitrary caching.
  • Added cache.region decorator to the CacheManager object.
  • Added cache regions. Can be provided in a configuration INI type, or by adding in a cache_regions arg to the CacheManager.
  • Fix bug with timeout not being saved properly.
  • Fix bug with cookie-only sessions sending cookies for new sessions even if they weren’t supposed to be saved.
  • Fix bug that caused a non-auto accessed session to not record the time it was previously accessed resulting in session timeouts.
  • Add function to parse configuration dicts as appropriate for use with the CacheManager.
  • The “expiretime” is no longer passed to the memcached backend - since if memcached makes the expired item unavailable at the same time the container expires it, then all actors must block until the new value is available (i.e. breaks the anti-dogpile logic).

Release 1.2.3 (3/2/2009)

  • Fix accessed increment to take place after the accessed time is checked to see if it has expired. Fixes #580.
  • data_dir/lock_dir parameters are optional to most backends; if not present, mutex-based locking will be used for creation functions
  • Adjustments to Container to better account for backends which don’t provide read/write locks, such as memcached. As a result, the plain “memory” cache no longer requires read/write mutexing.

Release 1.2.2 (2/14/2009)

  • Fix delete bug reported by andres with session not being deleted.

Release 1.2.1 (2/09/2009)

  • Fix memcached behavior as memcached returns None on nonexistent key fetch which broke invalid session checking.

Release 1.2 (1/22/2009)

  • Updated session to only save to the storage once no under any/all conditions rather than every time save() is called.
  • Added session.revert() function that reverts the session to the state at the beginning of the request.
  • Updated session to store entire session data in a single namespace key, this lets memcached work properly, and makes for more efficient use of the storage system for sessions.

Release 1.1.3 (12/29/2008)

  • Fix the 1.1.2 old cache/session upgrader to handle the has_current_value method.
  • Make InvalidCacheBackendError an ImportError.

Release 1.1.2 (11/24/2008)

  • Upgrade Beaker pre-1.1 cache/session values to the new format rather than throwing an exception.

Release 1.1.1 (11/24/2008)

  • Fixed bug in Google extension which passed arguments it should no longer pass to NamespaceManager.
  • Fixed bug involving lockfiles left open during cache “value creation” step.

Release 1.1 (11/16/2008)

  • file-based cache will not hold onto cached value once read from file; will create new value if the file is deleted as opposed to re-using what was last read. This allows external removal of files to be used as a cache-invalidation mechanism.
  • file-based locking will not unlink lockfiles; this can interfere with the flock() mechanism in the event that a concurrent process is accessing the files.
  • Sending “type” and other namespace config arguments to cache.get()/ cache.put()/cache.remove_value() is deprecated. The namespace configuration is now preferred at the Cache level, i.e. when you construct a Cache or call cache_manager.get_cache(). This removes the ambiguity of Cache’s dictionary interface and has_key() methods, which have no awareness of those arguments.
  • the “expiretime” in use is stored in the cache itself, so that it is always available when calling has_key() and other methods. Between this change and the deprecation of ‘type’, the Cache no longer has any need to store cache configuration in memory per cache key, which in a dynamically-generated key scenario stores an arbitrarily large number of configurations - essentially a memory leak.
  • memcache caching has been vastly improved, no longer stores a list of all keys, which along the same theme prevented efficient usage for an arbitrarily large number of keys. The keys() method is now unimplemented, and cache.remove() clears the entire memcache cache across all namespaces. This is what the memcache API provides so it’s the best we can do.
  • memcache caching passes along “expiretime” to the memcached “time” parameter, so that the cache itself can reduce its size for elements which are expired (memcache seems to manage its size in any case, this is just a hint to improve its operation).
  • replaced homegrown ThreadLocal implementation with threading.local, falls back to a 2.3 compat one for python<2.4

Release 1.0.3 (10/14/2008)

  • Fixed os.getpid issue on GAE.
  • CookieSession will add ‘_expires’ value to data when an expire time is set, and uses it

Release 1.0.2 (9/22/2008)

  • Fixed bug caused when attempting to invalidate a session that hadn’t previously been created.

Release 1.0.1 (8/19/2008)

  • Bug fix for cookie sessions to retain id before clearing values.

Release 1.0 (8/13/2008)

  • Added cookie delete to both cookie only sessions and normal sessions, to help with proxies and such that may determine whether a user is logged in via a cookie. (cookie varies, etc.). Suggested by Felix Schwarz.
  • cache.get_value() now uses the given kwargs in all cases in the same manner as cache.set_value(). This way you can send a new createfunc to cache.get_value() each time and it will be used.

Release 0.9.5 (6/19/2008)

  • Fixed bug in memcached to be tolerant of keys disappearing when memcached expires them.
  • Fixed the cache functionality to actually work, previously set_value was ignored if there was already a value set.

Release 0.9.4 (4/13/2008)

  • Adding ‘google’ backend datastore, available by specifying ‘google’ as the cache/session type. Note that this takes an optional table_name used to name the model class used.
  • SECURITY BUG: Fixed security issue with Beaker not properly removing directory escaping characters from the session ID when un-signed sessions are used. Reported with patch by Felix Schwarz.
  • Fixed bug with Beaker not playing well with Registry when its placed above it in the stack. Thanks Wichert Akkerman.

Release 0.9.3 (2/28/2008)

  • Adding ‘id’ to cookie-based sessions for better compatibility.
  • Fixed error with exception still raised for PyCrypto missing.
  • WARNING: Session middleware no longer catches Paste HTTP Exceptions, apps are now expected to capture and handle Paste HTTP Exceptions themselves.
  • Fixed Python 2.4 compatibility bug in hmac.
  • Fixed key lookup bug on cache object to only use the settings for the key lookup. Found by Andrew Stromnov.

Release 0.9.2 (2/13/2008)

  • Added option to make Beaker use a secure cookie.
  • Removed CTRCipher as pycryptopp doesn’t need it.
  • Changed AES to use 256 bit.
  • Fixed signing code to use hmac with sha for better signing security.
  • Fixed memcached code to use delete_multi on clearing the keys for efficiency and updated key retrieval to properly store and retrieve None values.
  • Removing and signed cookie middleware, as the environ_key option for session middleware provides a close enough setting.
  • Added option to use just cookie-based sessions without requiring encryption.
  • Switched encryption requirement from PyCrypto to pycryptopp which uses a proper AES in Counter Mode.

Release 0.9.1 (2/4/2008)

  • Fixed bug in middleware using module that wasn’t imported.

Release 0.9 (12/17/07)

  • Fixed bug in memcached replace to actually replace spaces properly.
  • Fixed md5 cookie signature to use SHA-1 when available.
  • Updated cookie-based session storage to use 256-bit AES-CTR mode with a SHA-1 HMAC signature. Now requires PyCrypto to use for AES scheme.
  • WARNING: Moved session and cache middleware to middleware, as per the old deprecation warnings had said was going to happen for 0.8.
  • Added cookie-only session storage with RC4 ciphered encryption, requires Python 2.4.
  • Add the ability to specify the cookie’s domain for sessions.

Release 0.8.1 (11/15/07)

  • Fixed bug in not properly handling missing sqlalchemy library.

Release 0.8 (10/17/07)

  • Fixed bug in prior db update causing session to occasionally not be written back to the db.
  • Fixed memcached key error with keys containing spaces. Thanks Jim Musil.
  • WARNING: Major change to ext:database to use a single row per namespace. Additionally, there’s an accessed and created column present to support easier deletion of old cache/session data. You will need to drop any existing tables being used by the ext:database backend.
  • Streamline ext:database backend to avoid unnecessary database selects for repeat data.
  • Added SQLAlchemy 0.4 support to ext:database backend.

Release 0.7.5 (08/18/07)

  • Fixed data_dir parsing for session string coercions, no longer picks up None as a data_dir.
  • Fixed session.get_by_id to lookup recently saved sessions properly, also updates session with creation/access time upon save.
  • Add unit tests for get_by_id function. Updated get_by_id to not result in additional session files.
  • Added session.get_by_id function to retrieve a session of the given id.

Release 0.7.4 (07/09/07)

  • Fixed issue with Beaker not properly handling arguments as Pylons may pass them in.
  • Fixed unit test to catch file removal exception.
  • Fixed another bug in synchronization, this one involving reentrant conditions with file synchronization
  • If a file open fails due to pickling errors, locks just opened are released unconditionally

Release 0.7.3 (06/08/07)

  • Beaker was not properly parsing input options to session middleware. Thanks to Yannick Gingras and Timothy S for spotting the issue.
  • Changed session to only send the cookie header if its a new session and save() was called. Also only creates the session file under these conditions.

Release 0.7.2 (05/19/07)

  • Added deprecation warning for middleware move, relocated middleware to cache and session modules for backwards compatibility.

Release 0.7.1 05/18/07)

  • adjusted synchronization logic to account for Mako/new Cache object’s multithreaded usage of Container.

Release 0.7 (05/18/07)

  • WARNING: Cleaned up Cache object based on Mako cache object, this changes the call interface slightly for creating a Cache object directly. The middleware cache object is unaffected from an end-user view. This change also avoids duplicate creations of Cache objects.
  • Adding database backend and unit tests.
  • Added memcached test, fixed memcached namespace arg passing.
  • Fixed session and cache tests, still failing syncdict test. Added doctests for Cache and Session middleware.
  • Cleanup of container/cache/container_test
  • Namespaces no longer require a context, removed NamespaceContext?
  • Logging in uses logging module
  • Cleanup of argument passing, use name kwargs instead of params for generic kwargs
  • Container classes contain a static create_namespace() method, namespaces are accessed from the ContainerContext? via string name + container class alone
  • Implemented (but not yet tested) clear() method on Cache, locates all Namespaces used thus far and clears each one based on its keys() collection
  • Fixed Cache.clear() method to actually clear the Cache namespace.
  • Updated memcached backend to split servers on ‘;’ for multiple memcached backends.
  • Merging MyghtyUtils code into Beaker.

Release 0.6.3 (03/18/2007)

  • Added api with customized Session that doesn’t require a Myghty request object, just a dict. Updated session to use the new version.
  • Removing unicode keys as some dbm backends can’t handle unicode keys.
  • Adding core files that should’ve been here.
  • More stringent checking for existence of a session.
  • Avoid recreating the session object when it’s empty.