[Zope] keeping Java Servlets session ids based on url rewriti ng

[Chris McDonough]

Thanks for the clarifications...

> We use servlets for java to java com between applets and the
> server. Inside, the servlets communicates to C++ based servers for
> objects and events. Servlet sessions are used to help ensure 
> validation
> for the object and event servers. User database is also stored in the
> object repository. Getting the session id for the servlet back into
> Zope (I was going to store it in a SQLSession object.) was the reason
> for preserving the ;<sessionid> from a response redirect generated by
> servlet. All pages with applets would be written with the servlet
> session ID as a parameter. We were going to use https for anything
> with session ids in them so they can not be sniffed for.

OK, I think I understand... you need to keep using the servlets-style
URL-rewriting because you serve Java applets that make use of
sessionids, and you may want to serve these from Zope.

I've done a little poking around in ZPublisher's HTTPRequest.py and
BaseRequest.py and I don't think that's where the ';*' gets stripped.  I
can't find *where* it gets stripped.  It must be possible to make Zope
de-ignore things split on a ";", but right now I can't find out where to
do so.

> I had not decided if the user database exchange would be done by using
> the client as a relay with user info emedded in
> user,md5-password-signature components in the session id response
> redirect or some Zope to JServ direct handshaking using
> ZPatterns-based Membership. Yet another alternative would be the swig
> Python interface directly to the object server and Zpatterns.

From what little I know about Java servlets, I believe it keeps all the
session objects in separate files within a directory on servlet's
server's filesystem.  Are they in an opaque format?  Are they named with
the sessionid?  Maybe you could let Zope peek at these.

> 
> Hope this helps clarifys things..
> 
> Albert Boulanger
> aboulanger@vaptch.com
> 
> 
> 
> -
>