A session object is an object that behaves like a folder in zope. If you access <Session FolderId>/docLogin via the web, the session folder will validate your username and password based off of the first acl_users folder that it finds via acquisition. Once the user has been authorized the Session Folder creates a brand new Session Instance and stores the user information in the Session Instance. Whenever an object is accessed through the Session Instance the user is equivalent to the user that originally logged in. In effect the authorization information is stored in PATH_INFO instead of a cookie or using standard HTTP authentication methods. Session Instances will/should be automatically deleted if the user has been idle longer than the time to live property.
The advantages to this scheme are. (Of course most of this is not implemented in this sample)
One important one that I forgot. * No need to trick/coerce/plug/patch/or otherwise beat your web server into passing authentication information to your Zope process. --------------------------------------------------- - Scott Robertson Phone: 714.972.2299 - - CodeIt Computing Fax: 714.972.2399 - - http://codeit.com - ---------------------------------------------------