A new release of the "CoreSessionTracking" product is out. The product allows you to associate state with anonymous visitors between requests.
I've been wondering about this for a long time. It allows you to associate state with anonymous users. Does this imply that you can't associate state with authenticated users, or that there's another mechanism to do it with authenticated users?
There's nothing inherent in the product which prevents you from associating state with authenticated users. It's just not as useful because once they're authenticated you'd probably be better off associating the state with their user object. I've seen a couple of examples of session usage, however, that mix user state and session state... for example, in the ASP world (and I think in the servlet world too), when a session starts and ends, you can associate an event with it. So this allows you to use the session space as sort of a scratchpad for use when a user comes in. At start time, you copy over some user state to the session object (based on authentication information). The user does some stuff, changing the contents of the session state. Then when the session expires, the session end event is called, the state is copied back to the user object. This is something that core session tracking doesn't do because session ids don't expire. There are also a couple of undocumented methods in core session tracking that allow you to associate a session data object with a user's database path. The reason that they're undocumented is because I'm not sure how far I want the tendrils of session tracking to go. This is an area we need help in, but it's probable that this information should probably be associated with the user in another way.
In the servlet paradigm, there's a distinction between the HTTP session and authentication. You set up a session with an HTTP request, and thereafter if the session ID is returned to you it's the same session. In that session, the user can choose to login or not.
Is this the same thing or is it different?
Core session tracking is the same.