[Zope-dev] Re: CoreSessionTracking proposal

[Chris McDonough]

Toby,

Sorry, I'm still not sure I understand.  :-(

Are you suggesting that the session token should actually store session
data?  Or are you just pointing out the difference between the
implementation an implementation that meets the requirements of sessions
and an implementation adequate for things like the tree tag?

Toby Dickenson wrote:
> 
> > > i.e. it is secure if the key *is* the data, rather than a key to the
> > > data.
> >
> > Can you explain?  I do not see what you're getting at.
> 
> Consider how the tree-tag stores its 'session' data. Its impossible to
> hijack a tree-tag session because the 'session' state is stored by the
> client (in the URL) in full.
> 
> There are other differences between this type of session and the
> CoreSessionTrackingProposal; but the advantages are not all one way.

-- 
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org