"Chris McDonough" <chrism@zope.com> writes:

OK, so do you recommend that I just use a shared secret string to obfuscate the session id?

Yes, I think that would be sufficient. The secret would be generated during creation of the SessionId manager, either by asking the user for some secret or by getting it from the system (/dev/random on Linux for example). When asking the user a long default value could provided so that the user only has to change it (seeing a good random example is easier than to create one from scratch).

I suppose I could just use the rotor module

Yes, that's a possibility.

Or do you think I should use dates/times and IP addresses as part of the string, rejecting session ids from machines that don't match the IP address encoded into the sid and date/times that are too long ago?

I would avoid IP addresses because session users can come from different sources legally. Timestamping would be a good thing in case session Ids are kept somewhere in URLs (search engines, proxy-Logs, ...).

Note that I believe there will be some cost involved in terms of documentation and support if this is the case. Sessions often just won't work due to proxy server banks that prevent users from appearing to come from the same IP address across requests.

Exactly.

In any case, if anything like this goes in, this will be a feature of a sessioning system after Zope 2.5 and will not ship with 2.5.

Oh, don't feel any pressure ... it was only a suggestion, not a demand :)

Thanks Frank!

Thanks too, Chris. Regards, Frank -- CTO fte@Lightwerk.com http://www.Lightwerk.com/ Fax: +49-2434-80 07 94 Phone: +49-2434-80 07 81 Lightwerk GmbH * An der Kull 11 * 41844 Wegberg * Germany