[Zope] Core Session Tracking questions

Jérôme Loisel jerome@levinux.org
Fri, 16 Mar 2001 12:33:59 -0500 

Chris McDonnough -- 03/03/2001, 16:51 :
> Hi Jerome,
>
> > First question: Say my cookies are set to last 14 days, but my session
>
> data
>
> > manager only stores session data for 60 minutes... What happens? Say a
> > visitor comes, sets some preferences, leaves and comes back two days
>
> later. A
>
> > new session oject is created. Are the old cookies "imported" in the new
> > object or is the data lost?
>
> The data is lost.  The data container timeout determines how long the data
> sticks around, not the cookie timeout (the cookie contains what you can
> think of as a "browser id" rather than a "session id", although the docs
> claim its a sessionid... this is why the docs go into some explanation of
> this phenomena).  In many cases, it's desirable to use a session id as...
> well.. a session id, instead of trying to use it to associate data with a
> user for time immemorial.  One common pattern is to use a session data
> object to store data about the user until they log in.  Then when they log
> in, you copy the data from the session data object to an object associated
> with the user, and then clear the session data, considering the
> user-associated data canonical.

I have been thinking about this... There are several cases in which a site 
needs to tack user information. In some cases, the site needs to store 
security-sensitive user info locally... Your current CST code fits that bill 
very nicely.

But often, you just want to store user preferences. These preferences need 
not be secure so can be stored on the client... And you want to keep those 
for as long as someone visits your site, so storing it on the server is 
actually troublesome. To fill this need, people often manually set cookies.

But I hate manually setting cookies. I often bump into problems when I try to 
do so. On the other hand, I love the simplicity of CST. And I wonder: could 
CST not be used to accomplish both goals via the development of a 
cookie-based session data manager?

You would have a data manager which stores all information client-side via 
cookies. The data could be stored much longer, months instead of hours. And 
it would not impact resources, RAM or filesystem. I would not use this to 
store security-sensitive data about logged-in users, but I would definitely 
use it to remember which skin an anonymous user preferred.

Is that at all possible? Will we see something like this someday? Just 
wondering. Thanks for CST, it's great. Cheers,

Jérôme Loisel


-- 
Jérôme Loisel
Lévinux: GNU/Linux dans les communautés à Lévis