[Zope-dev] CoreSessionTracking proposal
Dieter Maurer
dieter@handshake.de
Sun, 1 Oct 2000 23:33:06 +0200 (CEST)
Phillip J. Eby writes:
> At 09:27 PM 9/30/00 +0200, Dieter Maurer wrote:
> > * I am *VERY* suspicious whenever I get
> > a cookie with an expiration date more than
> > a few days in the future.
> >
> > If Zope tries to implement long living browser ids,
> > I fear, Zope sites will have a high chance, I will
> > no longer visit them.
>
> The actual lifetime of a browser ID will be controllable by the Zope site
> manager. I agree with you, however, in that the default lifetime should be
> reasonable. Indeed, I would suggest that the default simply be to use
> cookies with no expiration date, and which therefore only live so long as
> the user's browser is open, be it minutes or days.
I would be very happy with this.
> > * I do not think "Annonymous" should have
> > "Access Session Data" permission
> > with the exception to its own session data.
>
> As I understand it, the "Access Session Data" permission gives you the
> right to call a method that returns you the session data for the current
> request, but does not give you the right to access arbitrary session data.
> Thus, one only has permission to see one's own session data.
Do we need a special permission for this?
All users will have it (when sessions are used at all).
Thus, why clutter the (already cluttered) security management screen
with an additional permission.
> > Again, session handling should be transparent,
> > implemented by a mechanism that implements
> > its own special purpose access policy
> > (access to session data only by the
> > session owner).
>
> No such policy is necessary, since access to the session data objects
> themselves is gated. You can't get to the session object unless you have
> management rights on the session data manager itself, or if the session
> data object is for "your" session -- the session for the current REQUEST.
That's precisely the special policy, I speak of.
Dieter