[Zope] Zope cookies data point

Andreas Kostyrka andreas@kostyrka.priv.at
07 Sep 2002 08:58:22 +0200


Am Die, 2002-08-27 um 00.26 schrieb Chris McDonough:
> FWIW, Shane mentioned that sessions use cookies, but on the 2.6 branch
> (the trunk) it's possible to do "cookieless" sessioning via the
> automatic embedding of browser ids in the URL.  It makes for very ugly
> URLs, though, and you still need to either post to forms with
> Zope-generated URLs or embed the browser id in a hidden form element.
Well, then it's done it the "wrong" way:

There are three kinds of URLs:
a) relative
b) absolute (with or without hostname)
c) Zope-generated ones (img.tag, obj.absolute_url)
Now consider how much work they are with these session embedding
schemas:
I) FORM parameter.
   a+b need work
   c can be automated, but still changes how the url can be used when 
   generated. (...url and ...url?session=xy are different. For the first
   one needs ?param=X and for the second one &param=X)
II) prefix the URL:
   consider a mapping where the session id is inserted at the beginning
   and the application object does the session magic:
   /myfolder/myobject is redirected to /SessNew/myfolder/myobject
   /SessExisting/myfolder/myobject doesn't need any massaging.
   /SessExpired/url either resurrects the session or redirects to a new
   session.
   Consider the effects on our three kinds:
   a doesn't need any work.
   b must be manually massaged.
   c can be automated AND it's ending is semantically the same as 
     without session embedded.

I'd ratehr hope that Zope 2.6 learns especially the second set:
-) It can be made to work quite transparently.
-) It can be combined with a cookie session handling.
-) With sensible handling of expired sessions it also handles 
   bookmarking well enough.

Andreas