[Zope-PAS] [RFC] Extending CookieAuthHelper

Jens Vagelpohl jens at dataflake.org
Thu Nov 11 14:20:34 EST 2004


> WRT sessions, it is a goal of mine for Zope 3 sessions that they be 
> ubiquitous
> and storable over ZEO. This means that we choose not to write to them 
> very
> often. :)  This alows us to *count* on them being there.

I believe sessions are one of these killer things that is underutilized 
for various reasons. One possibly being the fact that they seem to 
require a lot of mind-bending internal logic to do what they are 
supposed to do (hello Chris ;), and sometimes reliability is a problem 
due to the complicated internal logic.

The plugin I am thinking of only writes to the session once, on login, 
and then compares the incoming session key to retrieve credentials from 
the session. So it seems quite sessioning-friendly.


>> Also, the lifespan of the cookie should be configurable on the plugin 
>> and there should be a "logout" method that can be called from user 
>> space/untrusted code to effect cookie expiration.
>
> You can't just use the session-timeout mechanism for that?
> That certainly makes things simpler.

Yes, that's a good point and I have thought about it myself. There is 
two items that need to be clened up, come to think of it. On the one 
hand you have a session, but then there's also a cookie. I'm not sure 
yet if I want to re-use the standard sessioning cookie or set my own. I 
need to look at how the timeouts in these items are handled by the 
standard sessioning machinery.

jens

---------------

Jens Vagelpohl			jens at zetwork.com
Software Engineer			+49-(0)441-36 18 14 38
Zetwork GmbH				http://www.zetwork.com/



More information about the Zope-PAS mailing list