[Zope-dev] CoreSessionTracking proposal

Dieter Maurer dieter@handshake.de
Sun, 1 Oct 2000 23:33:06 +0200 (CEST)


Phillip J. Eby writes:
 > At 09:27 PM 9/30/00 +0200, Dieter Maurer wrote:
 > >  * I am *VERY* suspicious whenever I get
 > >    a cookie with an expiration date more than
 > >    a few days in the future.
 > >
 > >    If Zope tries to implement long living browser ids,
 > >    I fear, Zope sites will have a high chance, I will
 > >    no longer visit them.
 > 
 > The actual lifetime of a browser ID will be controllable by the Zope site
 > manager.  I agree with you, however, in that the default lifetime should be
 > reasonable.  Indeed, I would suggest that the default simply be to use
 > cookies with no expiration date, and which therefore only live so long as
 > the user's browser is open, be it minutes or days.
I would be very happy with this.

 > >  * I do not think "Annonymous" should have
 > >    "Access Session Data" permission
 > >    with the exception to its own session data.
 > 
 > As I understand it, the "Access Session Data" permission gives you the
 > right to call a method that returns you the session data for the current
 > request, but does not give you the right to access arbitrary session data.
 > Thus, one only has permission to see one's own session data.
Do we need a special permission for this?
All users will have it (when sessions are used at all).
Thus, why clutter the (already cluttered) security management screen
with an additional permission.

 > >    Again, session handling should be transparent,
 > >    implemented by a mechanism that implements
 > >    its own special purpose access policy
 > >    (access to session data only by the
 > >    session owner).
 > 
 > No such policy is necessary, since access to the session data objects
 > themselves is gated.  You can't get to the session object unless you have
 > management rights on the session data manager itself, or if the session
 > data object is for "your" session -- the session for the current REQUEST.
That's precisely the special policy, I speak of.


Dieter