[Zope] ANN: Core Session Tracking 0.7

Chris McDonough chrism@digicool.com
Tue, 30 Jan 2001 13:03:43 -0500


> >A new release of the "CoreSessionTracking" product is out.  The product
> >allows you to associate state with anonymous visitors between requests.
>
> I've been wondering about this for a long time. It allows you to associate
> state with anonymous users. Does this imply that you can't associate state
> with authenticated users, or that there's another mechanism to do it with
> authenticated users?

There's nothing inherent in the product which prevents you from associating
state with authenticated users.  It's just not as useful because once
they're authenticated you'd probably be better off associating the state
with their user object.

I've seen a couple of examples of session usage, however, that mix user
state and session state... for example, in the ASP world (and I think in the
servlet world too), when a session starts and ends, you can associate an
event with it.  So this allows you to use the session space as sort of a
scratchpad for use when a user comes in.  At start time, you copy over some
user state to the session object (based on authentication information).  The
user does some stuff, changing the contents of the session state.  Then when
the session expires, the session end event is called, the state is copied
back to the user object.  This is something that core session tracking
doesn't do because session ids don't expire.

There are also a couple of undocumented methods in core session tracking
that allow you to associate a session data object with a user's database
path.  The reason that they're undocumented is because I'm not sure how far
I want the tendrils of session tracking to go.  This is an area we need help
in, but it's probable that this information should probably be associated
with the user in another way.

> In the servlet paradigm, there's a distinction between the HTTP session
and
> authentication. You set up a session with an HTTP request, and thereafter
> if the session ID is returned to you it's the same session. In that
> session, the user can choose to login or not.
>
> Is this the same thing or is it different?

Core session tracking is the same.