Session does not work in http endpoint, but cookies do?

mjmare · June 30, 2020, 8:45pm

I have created a Twilio webhook that works OK. However I’ve run into a little problem: sessions don’t seem to work, but cookies do. See example below that contains both versions.
I’m a bit puzzled by this, because sessions are based on cookies if I’m not mistaken.

After any change I have republished the app.

@anvil.server.http_endpoint('/sms')
def sms_reply(**kwargs):
  print(kwargs)
  
#   # This works:  
#   visits = anvil.server.cookies.local.get('visits',0)
#   anvil.server.cookies.local['visits']=visits+1
  
  # This does not
  visits = anvil.server.session.get("visits", 0)
  anvil.server.session['visits']=visits+1
  
  resp = MessagingResponse()
  resp.message(f"Welkom terug. Aantal keer eerder geweest: {visits}")
  
  response = anvil.server.HttpResponse(200, str(resp))
  response.headers["Content-Type"] = "text/xml"

  return response

Any ideas?

stucork · July 1, 2020, 1:07am

When you say doesn’t work - do you get an error? or it behaves unexpectedly?

The session data is specific to the “browser session” vs cookies which are specific to a browser and persists between sessions.

Not sure if that’s helps to uncover the issue…

meredydd · July 1, 2020, 1:26pm

Also, I’m pretty surprised Twilio’s webhook requester respects cookies! I wouldn’t rely on that if I were you.

What are you trying to do?

mjmare · July 2, 2020, 4:07pm

Actually it is a Twilio feature!
See: https://www.twilio.com/docs/sms/tutorials/how-to-create-sms-conversations-python?code-sample=code-tracking-sms-conversations-using-cookies&code-language=Python&code-sdk-version=6.x

The Flask example uses regular sessions to track a SMS ‘conversation’.

Isn’t the Anvil session machinery using cookies?

mjmare · July 2, 2020, 4:18pm

What I meant by not working is that the ‘visits’ counter stays at zero when using sessions and counts corrector when using cookies.

meredydd · July 3, 2020, 2:26pm

Well, that is very cool! Ten points to Twilio.

Anvil’s session functionality has cross-site protection turned on by default, to prevent a common set of attacks known as “XSRF”, or “Cross-site request forgery”.

You can turn this protection off (see the doc link to learn how); just be aware that a malicious website can cause users’ browsers to request API URLs with parameters of their choosing, so don’t trust those requests too much!

mjmare · July 3, 2020, 7:27pm

Learned something
But it does not work unfortunately.

meredydd · July 8, 2020, 11:47am

In that case, most likely because the session cookies are set to expire quickly/when the browser closes, whereas anvil.server.cookies last longer, and I guess as far as Twilio is concerned those short-term cookies expire between every message.