[Zope] Session Management

Anthony Baxter Anthony Baxter <anthony@interlink.com.au>
Wed, 05 Jan 2000 01:42:05 +1100 

>>> Pavlos Christoforou wrote

> Here lies the major difference between FSSession and SQLSession. FSSession
> does not insert the session object in the REQUEST object. It loads the
> session info into temporary variables in the object. Is there a reason to
> insert the session object in the REQUEST variable? I can change it if
> there is a good reason.

I'm not sure I understand what you mean by 'loads the session values into
temporary variables in the object'. The rationale behind having 
REQUEST.SESSION was to make it behave in a way similar to RESPONSE. 
I explicitly did _not_ want to have session variables automatically
looked up, or stored - this seemed to me to be an error prone way to
go. I also dislike things that stomp all over my global namespace,
and pulling all session values out seemed too much like 'from foo import *'
to me.

> > 
> > SESSION API:
> >    SESSION.getName() - returns the session id of the current session.
> Ok I will add it. Right now the SessionUID is inserted in the REQUEST
> object.

I could add that as well, I guess - but I prefer having all of the session
values inside REQUEST.SESSION. 
 

> > Query: should it also support __getattr__ ? I've resisted it so far as
> I don't think so. If users ask for it then we can add it, but I will agree
> it is not really neccessary.

I've had (I think) two requests for it. The other reason for not adding it
is that if people get comfortable using it, they then get bitten by the
whole SESSION['a-b-c'] != SESSION.a-b-c (a-b-c is not a valid python variable
name).

> I think one useful method is one that returns a URL including the
> SessionUID if client does not support cookies or the URL if it does (BTW
> what is the best way of detecting whether the client supports cookies?)
> Here is the implementation in FSSession:

Hm - I've thought about this, but haven't come up with an authoritative
(if that's the right term) way to deal with it. One way I've thought to
do it is to make the first form submit have a hidden field called something
like '_this_form_should_send_in_a_cookie_called_foo', then check the next
page for a cookie called 'foo'. If it's not there, stuff 'foo' into the URL.

I'd like to avoid putting the session in the URL by default, tho.


Anthony


-- 
Anthony Baxter     <anthony@interlink.com.au>   
It's never too late to have a happy childhood.