[Zope-dev] CoreSessionTracking proposal

[Chris McDonough]

Dieter Maurer wrote:
> 
> Phillip J. Eby writes:
>  > The actual lifetime of a browser ID will be controllable by the Zope site
>  > manager.  I agree with you, however, in that the default lifetime should be
>  > reasonable.  Indeed, I would suggest that the default simply be to use
>  > cookies with no expiration date, and which therefore only live so long as
>  > the user's browser is open, be it minutes or days.
> I would be very happy with this.

Good, that's what it is now.  :-)
 
>  > As I understand it, the "Access Session Data" permission gives you the
>  > right to call a method that returns you the session data for the current
>  > request, but does not give you the right to access arbitrary session data.
>  > Thus, one only has permission to see one's own session data.
> Do we need a special permission for this?
> All users will have it (when sessions are used at all).
> Thus, why clutter the (already cluttered) security management screen
> with an additional permission.

It is advantageous to prevent certain users from accessing session data
(such as nonanonymous, non-management users with TTW scripting
capabilites) so they cannot arbitrarily examine session data values.

-- 
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org