[Zope] Session Management

Pavlos Christoforou pavlos@gaaros.msrc.sunysb.edu
Mon, 3 Jan 2000 23:39:13 -0500 (EST)


Oops I forgot! FSSession already supports _force_new_session.

On Tue, 4 Jan 2000, Anthony Baxter wrote:

> 
> Excellent plan. I can see two interfaces to define:
> 
> The interface to the Session object (the thing that's called to
> populate REQUEST with the SESSION object)
> The interface to the SESSION object (the dictionary-like thing 
> that's inserted into the REQUEST).

Here lies the major difference between FSSession and SQLSession. FSSession
does not insert the session object in the REQUEST object. It loads the
session info into temporary variables in the object. Is there a reason to
insert the session object in the REQUEST variable? I can change it if
there is a good reason.


> 
> 
> SESSION API:
>    SESSION.getName() - returns the session id of the current session.
Ok I will add it. Right now the SessionUID is inserted in the REQUEST
object.


> Supports dictionary interface, that is:
>    SESSION.__getitem__
>    SESSION.__setitem__
>    SESSION.__delitem__
>    SESSION.keys
>    SESSION.values
>    SESSION.items
>    SESSION.has_key
>    SESSION.clear
>    SESSION.update

Ok

> Query: should it also support __getattr__ ? I've resisted it so far as
> 'feature duplication', since there's nothing that you absolutely _need_ 
> it for - e.g. for <dtml-with> you can just write <dtml-with SESSION mapping>
> to put the SESSION values in the namespace.

I don't think so. If users ask for it then we can add it, but I will agree
it is not really neccessary.

> 
>    SESSION.copy - unimplemented, raises error.
> 
>    SESSION.get -- alias for SESSION.__getitem__
>    SESSION.set -- alias for SESSION.__getitem__

Ok

> Session object API:
> 
>     Session.__call__(REQUEST=None, session_id=None, noCookie=None, 
> 			validSession=None)
>         if noCookie is set, do _not_ set a cookie.
>         if validSession is set, do _not_ create a new session if none is 
>         specified, or if the one specified is invalid.
>         if session_id is set, use this ID to connect to an existing session
>         (and populate REQUEST.SESSION and any cookie, as appropriate).
>         if REQUEST._force_new_session = 1, then always create a new session.
>       returns the string '<!-- session is "%s" -->'%sessionName (useful
>       for debugging, use dtml-var Session, rather than dtml-call Session.
> 
>     Session.cookie_name - string containing the name of the session cookie.

> This list is just cribbed from the CVS of release 0.2.3...
> Did I miss anything - and is there anything from FSSession that should be
> included?

I think one useful method is one that returns a URL including the
SessionUID if client does not support cookies or the URL if it does (BTW
what is the best way of detecting whether the client supports cookies?)
Here is the implementation in FSSession:

    def url(self,url):
        if self.REQUEST.environ.has_key('HTTP_COOKIE'):
            # Client accepts cookies. Just return url. A situation can
            # arise where the client does accept cookies but there is
            # no cookie set for our domain. This method will mistake
            # the client as a non cookie enabled, but only the first
            # time.
            return url
        else:
            if '?' in url:
                return '%s&%s=%s'%(url,self.cookie_name,self.uid[0])
            else:
                return '%s?%s=%s'%(url,self.cookie_name,self.uid[0])  


Pavlos