Re: [Zope-dev] CoreSessionTracking proposal
Phillip J. Eby writes:
At 09:27 PM 9/30/00 +0200, Dieter Maurer wrote:
* I am *VERY* suspicious whenever I get a cookie with an expiration date more than a few days in the future.
If Zope tries to implement long living browser ids, I fear, Zope sites will have a high chance, I will no longer visit them.
The actual lifetime of a browser ID will be controllable by the Zope site manager. I agree with you, however, in that the default lifetime should be reasonable. Indeed, I would suggest that the default simply be to use cookies with no expiration date, and which therefore only live so long as the user's browser is open, be it minutes or days. I would be very happy with this.
* I do not think "Annonymous" should have "Access Session Data" permission with the exception to its own session data.
As I understand it, the "Access Session Data" permission gives you the right to call a method that returns you the session data for the current request, but does not give you the right to access arbitrary session data. Thus, one only has permission to see one's own session data. Do we need a special permission for this? All users will have it (when sessions are used at all). Thus, why clutter the (already cluttered) security management screen with an additional permission.
Again, session handling should be transparent, implemented by a mechanism that implements its own special purpose access policy (access to session data only by the session owner).
No such policy is necessary, since access to the session data objects themselves is gated. You can't get to the session object unless you have management rights on the session data manager itself, or if the session data object is for "your" session -- the session for the current REQUEST. That's precisely the special policy, I speak of.
Dieter
Dieter Maurer wrote:
Phillip J. Eby writes:
The actual lifetime of a browser ID will be controllable by the Zope site manager. I agree with you, however, in that the default lifetime should be reasonable. Indeed, I would suggest that the default simply be to use cookies with no expiration date, and which therefore only live so long as the user's browser is open, be it minutes or days. I would be very happy with this.
Good, that's what it is now. :-)
As I understand it, the "Access Session Data" permission gives you the right to call a method that returns you the session data for the current request, but does not give you the right to access arbitrary session data. Thus, one only has permission to see one's own session data. Do we need a special permission for this? All users will have it (when sessions are used at all). Thus, why clutter the (already cluttered) security management screen with an additional permission.
It is advantageous to prevent certain users from accessing session data (such as nonanonymous, non-management users with TTW scripting capabilites) so they cannot arbitrarily examine session data values. -- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org
participants (2)
-
Chris McDonough -
Dieter Maurer