[Zope] Sessions needed

michel@digicool.com michel@digicool.com
27 Jun 1999 22:46:29 -0400


Frank Buhr <buhr@kogs1.informatik.uni-hamburg.de> writes:

> Hi,
> 
> after doing some experiments with Zope I'm still missing an important feature:
> 
>    How can I easily keep state information over several HTTP-Requests?
> 
> The abstraction that provides this is called "session" for instance in the Java Servlet API
> http://java.sun.com/products/servlet/2.1/html/api-reference.fm.html#945
> JS-sessions provide an abstraction from cookie-mechanisms or URL encoding.
> 
> Netscapes server side javascript provides similar things. There are some
> choices for the implementation of sessions: keeping state information 
> on the server (the client only references an ID) or on the client 
> (all values are stored on the client), using cookies, URL encoding or 
> hidden form elements.
> 
> I found some Classes in the Zope sources where there is already state information
> maintained by cookies (TreeTag and ZRDB.DA)
> This seems to be equivalent to the combination "data on the client, use cookies" from above.
> 
> I very much like the idea of separating the service of "state keeping" from
> the concrete implementation (which might even be chosen dynamically according
> to browser capabilities or user preferences ("no cookies -> use URL encoding")
> 
>    Did I overlook something or is there really no session _abstraction_ in Zope?

You are correct, there is no low level session abstraction in Zope.
This problem is much thornier than it sounds.  Attempting to have a
both useable and flexable session toolkit has show to us to be a
difficult concept that requires a lot of thought.

What are generally called 'sessions' is actually a smaller piece of a
much larger puzzle we call 'membership'.  More than just a private
namespace for a series of HTTP transactions, membership is more of a
concept of 'meta-sessions', keeping state between a series of sessions.
There are, actually, only a small number of scenarios where
construction and destruction of 'sessions' is useful unless the
information on the user of that sessions is kept for later sessions.

Everyone and their brother has a gazzillion custom requirements they
need satified in this very vague (and ill-defined by the JS standard)
area we call membership.  The actualy 'session' part (which we use a
cookie to solve) is one of the easiest pieces of the puzzle.  Although
many other toolkits have the ability to create an abstraction they
call 'session' it is hard to find one that handles membership in a
usable and flexable fasion (rumor has it WebObjects has a rather nice
model in this regard, of course you have to drop some TALL cash to get
it).  We want our system to be able to satisfy most requirements, and
be able to be molded without breaking any of it to fit all the rest.
For example, membership should be flexible enough to store membership
information in an SQL database, but it should not be required.

So, that aside, I can tell you that this is a deep problem we are
thinking about actively here at DC in various top secret projects, and
we plan on solving in the usual ultra cool Zope Zen way.


> 
> (At first sight the feature now called "versions" seemed to do something similar
> but this was only the first sight.)
> 
> A Session (in my definition) should provide a private namespace for exactly one user
> (or web client). It should have an optional timeout in order to destroy it if the 
> user is inactive.
> 

Ah there lies the rub.  'exactly one user' is not a concept currently
in Zope.  It is possible for me to create users called 'michel' at
various and disjoined areas of Zope.  This is a wildly usable feature
of Zope.  Creating 'members' is a higher level concept than this,
members should be singular, there should be no two 'Michel' members in
the same 'membership'.  Members should have an area that is 'theirs'
(like the UNIX concept of a home directory).  etc. etc.  It gets
sticky and easy to paint oneself in a corner.

> Has anyone build a nice Zope product which does this?
> 

I believe there is a product somewhere out there that lets you
manipulate cookies in the browser to store some small amount of state
(something like 4K) on the client.  I believe it was called
CookieCutter.  This could be useful for your short term goals.
Perhaps the author could chime in?


> May be sessions could be integrated into the object database 
> (by declaring objects to have a special scope and extent)?

We generally avoid putting HTTP specific (or even Zope specific)
feature in the database, this grossly violates our componentized
model.  The ZODB should (and is) be useful for a variety of
applications completely unrelated to Zope or the web.  In either case, 
the database is pretty transparent and low level at Zope's python API
layer, so the problem could be easily solved without bringing any
thought about the database into it.

-Michel

> 
> 
> 
> Frank 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
> 
> (For developer-specific issues, use the companion list,
> zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )