Bill Bell wrote:
First of all, thank you for your responses to my question. Unfortunately I did not make my meaning clear.
I would like an elementary understanding of how the internals of SESSIONs work. I assume they make use of cookies. If this is correct then, what information is sent back and forth using cookies?
Yes, it uses cookies by default. It doesnt have to -- it can be enabled to use FORM variables, but that's tougher to do by default (the one component can't just behave passively.) There's an ID manager that assigns a cookie to a browser, a data manager that uses that ID to connect to a temporary session data store, and the data store itself. In conjunction, all three form a "session." The only information in the cookie is the browser ID -- just a unique key to retrieve the session data saved on the server. The key is NOT cryptographically secure -- capturing the key would enable you to steal a session if the application didn't check for that. This is intended, as the various proxy servers out there make uniquely identifying a browser in a secure fashion tricky. The only really good way to do that IMHO is SSL + cookies. -- Matt Kromer Zope Corporation http://www.zope.com/