[Zope] How SESSIONs work
Matthew T. Kromer
matt@zope.com
Tue, 19 Feb 2002 11:23:13 -0500
Bill Bell wrote:
>
>First of all, thank you for your responses to my question. Unfortunately I did not make my meaning clear.
>
>I would like an elementary understanding of how the internals of SESSIONs work. I assume they make use of cookies. If this is correct then, what information is sent back and forth using cookies?
>
Yes, it uses cookies by default. It doesnt have to -- it can be enabled
to use FORM variables, but that's tougher to do by default (the one
component can't just behave passively.)
There's an ID manager that assigns a cookie to a browser, a data manager
that uses that ID to connect to a temporary session data store, and the
data store itself. In conjunction, all three form a "session."
The only information in the cookie is the browser ID -- just a unique
key to retrieve the session data saved on the server. The key is NOT
cryptographically secure -- capturing the key would enable you to steal
a session if the application didn't check for that. This is intended,
as the various proxy servers out there make uniquely identifying a
browser in a secure fashion tricky. The only really good way to do that
IMHO is SSL + cookies.
--
Matt Kromer
Zope Corporation http://www.zope.com/