[Zope-PAS] [RFC] Extending CookieAuthHelper
Jens Vagelpohl
jens at dataflake.org
Thu Nov 11 14:20:34 EST 2004
> WRT sessions, it is a goal of mine for Zope 3 sessions that they be
> ubiquitous
> and storable over ZEO. This means that we choose not to write to them
> very
> often. :) This alows us to *count* on them being there.
I believe sessions are one of these killer things that is underutilized
for various reasons. One possibly being the fact that they seem to
require a lot of mind-bending internal logic to do what they are
supposed to do (hello Chris ;), and sometimes reliability is a problem
due to the complicated internal logic.
The plugin I am thinking of only writes to the session once, on login,
and then compares the incoming session key to retrieve credentials from
the session. So it seems quite sessioning-friendly.
>> Also, the lifespan of the cookie should be configurable on the plugin
>> and there should be a "logout" method that can be called from user
>> space/untrusted code to effect cookie expiration.
>
> You can't just use the session-timeout mechanism for that?
> That certainly makes things simpler.
Yes, that's a good point and I have thought about it myself. There is
two items that need to be clened up, come to think of it. On the one
hand you have a session, but then there's also a cookie. I'm not sure
yet if I want to re-use the standard sessioning cookie or set my own. I
need to look at how the timeouts in these items are handled by the
standard sessioning machinery.
jens
---------------
Jens Vagelpohl jens at zetwork.com
Software Engineer +49-(0)441-36 18 14 38
Zetwork GmbH http://www.zetwork.com/
More information about the Zope-PAS
mailing list