Dieter Maurer wrote:
Phillip J. Eby writes:
The actual lifetime of a browser ID will be controllable by the Zope site manager. I agree with you, however, in that the default lifetime should be reasonable. Indeed, I would suggest that the default simply be to use cookies with no expiration date, and which therefore only live so long as the user's browser is open, be it minutes or days. I would be very happy with this.
Good, that's what it is now. :-)
As I understand it, the "Access Session Data" permission gives you the right to call a method that returns you the session data for the current request, but does not give you the right to access arbitrary session data. Thus, one only has permission to see one's own session data. Do we need a special permission for this? All users will have it (when sessions are used at all). Thus, why clutter the (already cluttered) security management screen with an additional permission.
It is advantageous to prevent certain users from accessing session data (such as nonanonymous, non-management users with TTW scripting capabilites) so they cannot arbitrarily examine session data values. -- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org