why two session identifiers?
Dear list, could anybody tell me why the Session product assigns a session id AND a session token to a session? I've noticed that expiration of the session data object causes (on a further request) the session id to change, while the token stays the same: any explications? Thanks, Mario. _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
There is a "browser id". This is the id assigned to the user's browser. It is stored in the cookie that is set on the user's browser (if you use cookies in sessioning). You can obtain this value by using REQUEST.SESSION.getContainerKey() or REQUEST.SESSION.getBrowserIdManager().getBrowserId(). It uniquely identifies a single browser. There is a "session id". This is the id assigned to a user's session data object. You can obtain this value by using REQUEST.SESSION.getId(). This identifier uniquely identifies a single session by a browser. A session (and therefore a session id) lasts until the session times out due to inactivity, typically after 20 minutes of inactivity. However, a browser id can last for almost as long as you want. For example, if you use cookies, you could have the sessioning machinery cookie timeout set to 2038 or something, and assuming the user never clears his cookies, and uses the same machine until 2038, he will always have the same browser id. During his visits to the site, however, he will have many sessions, each with its own id. The session id is not stored or seen on the client in any way, just the browser id. HTH, - C ----- Original Message ----- From: "Mario Bianchi" <kammamuri_mb@hotmail.com> To: <zope@zope.org> Sent: Monday, August 05, 2002 12:40 PM Subject: [Zope] why two session identifiers?
Dear list, could anybody tell me why the Session product assigns a session id AND a session token to a session? I've noticed that expiration of the session data object causes (on a further request) the session id to change, while the token stays the same: any explications?
Thanks, Mario.
_________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Chris McDonough writes:
... However, a browser id can last for almost as long as you want. For example, if you use cookies, you could have the sessioning machinery cookie timeout set to 2038 or something, and assuming the user never clears his cookies, and uses the same machine until 2038, he will always have the same browser id. Small note: when I get a cookie with such a lifespan and I do not really trust the site, then it will be the last cookie that I get from this site.
Thus, use lifespans for cookies your users can understand... Dieter
participants (3)
-
Chris McDonough -
Dieter Maurer -
Mario Bianchi