Toby, Sorry, I'm still not sure I understand. :-( Are you suggesting that the session token should actually store session data? Or are you just pointing out the difference between the implementation an implementation that meets the requirements of sessions and an implementation adequate for things like the tree tag? Toby Dickenson wrote:
i.e. it is secure if the key *is* the data, rather than a key to the data.
Can you explain? I do not see what you're getting at.
Consider how the tree-tag stores its 'session' data. Its impossible to hijack a tree-tag session because the 'session' state is stored by the client (in the URL) in full.
There are other differences between this type of session and the CoreSessionTrackingProposal; but the advantages are not all one way.
-- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org