AW: [Zope] Cookieless Session Management
Hi there, just a quick note on the subject. Cookieless session management can store the session ID in hidden form elements, URL insertions, it can use referer, browserversion and IP-address, etc. and mix all these to track the session/user. I know ZOPE CookielessSession uses URL insertions, not sure if it uses the other tricks as well. The problem with cookieless session management in general is that it's less reliable. If you use cookies you got em or not. If you use the other techniques you _might_ run into a bunch of strange problems. URL-Insertion with Flash or Javascript? Not always possible. IP-tracking with more then one user behind a NAT-Router? Hardly. Users browsing your site with two instances of the same browser on their desktop? Bummer. I don't love cookies very much myself but if you run a site which may have things like Flash or Javascript and especially if you run applications that need to rely heavily on the session management (Shopping, complex administration, login via form and not popup, etc.) I would strongly advise to use cookies unless you know exactly what you're site is doing and how. Not really that much Zope but I hope this helps :) /Gem
On Mon, 2003-04-07 at 18:31, hpinson@indepthl.com wrote:
Hi Chris-- thanks for the reference.
Is there some drawback to using a session model that stores session information in server memory (CookielessSession) as opposed to a URL- based" sessioning mechanism, like Zope uses?
Somehow state needs to be kept between requests to implement sessioning. (each request to an HTTP server is "fresh", no state is kept between them, this is why cookies are often used for sessioning because they implement a means of tracking state between requests).
I'm not sure how CookielessSession does this, but if it doesn't use cookies, it likely either uses query strings, hidden form elements, or URL insertions just like the stock Zope sessioning stuff.
I don't know if you or anyone else has experience with the CookielessSession Product-- it seems to much easier to use than Zope's mechanism. It has not failed after two projects (light usage only).
No, sorry, I don't have any experience with it. If it works for you, I'd say use it!
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Gem, that was incredibly useful information. My application is a multipage form- (over many pages, probably 150 fields of information collected per form). The issue that you bring up that is most troublesome is IP tracking of more than one user behind a NAT router. The others are less an issue for us--though we do use embedded Flash, but do not post or get from or to those applications. We keep Javascript to an absolute minimum for other reasons. So far the Zope CookielessSession product has worked flawlessly for such an application, but I'm not sure we have encountered multiple users behind a NAT router, though that would seem a common occurence. Much as i dislike using cookies, perhaps I should reconsider them. Thanks! Harlow Pinson Indepth Learning Email: hpinson@indepthl.com Web: http://www.indepthl.com Voice: 505-994-2135 FAX: 208-475-7678
participants (2)
-
Germer, Carsten -
hpinson@indepthl.com