When a user logs in you want to clear the SESSION object related to his browser. The simplest way to do this is to use a cookie-based user folder and cause the session to be cleared as a result of the user submitting a login form (read the Sessions chapter and look for "invalidate" to see how to clear the session). The stock Zope user folder uses basic HTTP authentication and is therefore not suitable for this purpose. This is an unfortunate limitation of basic authentication. Basic HTTP authentication is not suitable because there is no way to "hook" a login (the programmer never gets the chance to "do something" when a user logs in). OTOH, cookie-based user folders are suitable for this purpose because typically you will have the chance to display a custom login form and process its results yourself. During this processing, on successful login, invalidate the session object, and you'll have solved your problem. For a list of user management-related Products, many of which are user folder implementations that you might be able to use, consult http://www.zope.org/Products/user_management . On Mon, 2002-09-09 at 12:18, Stacy Roberts Ladnier wrote:
I know the session was created for this reason. However, when storing parameters in the session, we experience problems when a user switches login names in the same browser session. Parameters that exist under one user name are persisted over to the new user name and this should not be allowed to happen. When it does, certain options the user can choose, will cause the search mechanism to completely crash and write null values to the database. This then prevents the user from using our site until we detect the Null value and delete it. As you can imagine, this is a MAJOR problem that has to be avoided at all costs. When parameters are passed in the REQUEST object, this problem is resolved.
Right now, we recreate the REQUEST object in each page. This becomes code intensive and a management nightmare. When one parameter is added, every single page must be touched. I would love to use the session, but the resulting problems prevent me from utilizing it. I need a way to persist the parameters throughout my search capabilities, but wipe the slate clean when a user logs in as a different user. I tried this out with the session, but a new session is not created unless I open a new browser instance and then log in in this new instance.
If I can find a way to force a new SESSION object to start when a user clicks a certain link, my problem may be solved. I know I ABSOLUTELY want to avoid passing 50 parameters in the URL string. That is so UGLY.
You mention that I can, in fact, remove the arguments from the session. Can you please explain how I can do this in detail? I want the transition to ZOPE to bring about some valuable improvements to our site and the maintenace of our code.
Stacy
Heimo Laukkanen wrote:
Subject: Re: [Zope] REQUEST parameters needed throughout website Cc: zope@zope.org To: "Stacy Roberts Ladnier" <Stacy.Roberts@noaa.gov> From: Jens Vagelpohl <jens@zope.com>
user's search. I DO NOT want to use the session to store the parameters in because this will cause problems if a certain course of action is taken. ... Please understand I am very new to Zope. My company is trying to transition from Java and JSP to Zope and Python. I need to make sure
Since you say: a) you are new to Zope b) you don't want to use sessions c) you need to do something that is exactly what sessions are for,
I'll have to ask - what are the conditions and the course of action that makes sessions cause problems? And whatkind of problems they are - and is the reason for these problems sessions or something else?
And as a reminder:
1) HTTP is a sessionless protocol - there is no such thing as a session in the protocoll
2) Passing variables or arguments happens usually either in the URL ( http://xx.xx.xx?foo=bar&dinner=spam ),as a form field or in a cookie.
3) Since passing multiple arguments all the time is stupid - systems for storing the data with a session key have been developed to practicly all the web development platform. Instead of passing all the arguments you just pass the session key. And then the session key gives you access to all your arguments. And when you are done, you can just remove the arguments or kill the session.
Now. Is the session mechanism really the problem?
-huima