Code review comment for lp:~lifeless/launchpad/private-librarian

So one thing we will need to do is raise an exception if we try to generate a secure url as an anonymous user. This is a safety net, as I don't think we are doing this at the moment. It will stop accidentally ending up with stale URLs in the Squid caches.

I think I understand why the session store was (ab)used here - it runs in autocommit mode and we rollback the database connections on GET requests to ensure they are idempotent. I still don't like it but can't really offer a better solution with our existing infrastructure except perhaps using memcached. Certainly session.sql should not be modified though, with all the new stuff going into launchpad_session.sql (session.sql is what should have been sent upstream a few years ago).