[Zope-CMF] Non-cookie sessions in CMF

Chris McDonough chrism@zope.com
Tue, 5 Mar 2002 09:31:48 -0500


Hi A M,

The short answer:  use Zope 2.5 and set the browser id manager (at the root)
to get session info from "cookies then form".

URL-rewriting is necessary only for those users who have cookies turned off
(or who are using browsers that dont support cookies).  To support users who
have cookies turned off, pass each of the link URLs that point back to your
site to the encodeUrl method of the browser id manager in order to rewrite
them, e.g. <a href="<dtml-var
"browser_id_manager.encodeUrl('http://foo/bar')">"> will turn into something
like <a href=http://foo/bar?_ZopeId=981923819238>.

If it's critical to get URL-based browser ids working in CMF's DemoPortal,
you'll need to get the URL-generating methods in the CMF (like the actions
box) to rewrite their URLs with browser ids.  This will almost certainly
require some programming, however, so you'll need to either learn Python &
CMF or you'll need to perhaps hire (or cajole ;-) someone to help you.

- C


----- Original Message -----
From: "A M Thomas" <am@virtueofthesmall.com>
To: <zope-cmf@zope.org>
Sent: Monday, March 04, 2002 3:40 PM
Subject: [Zope-CMF] Non-cookie sessions in CMF


> Hi all,
>
> First, let me confess my cluelessness.  I'm a newbie, I haven't used
> Zope that much yet, but I've read a darn lot and can't find the answer
> to this question.
>
> Before I discovered Zope (I've been working with it about a week and a
> half), I was working on my own kind of framework (crude) in Perl, mainly
> for shopping carts.  So far, it handled sessions this way:
>
> When a user first accessed the site (i.e., no session was passed in), a
> session would be created, UNLESS the user was a known search engine
> robot.
>
> All output web pages were put through a filter which re-wrote all Form
> actions and all links to include a cart_id=[bunch of numbers] HTML PUT
> string, or, if URL rewriting was active, the links would be rewritten to
> include a /[bunch of numbers] on the end (i.e., the cart_id would look
> like part of the URL path, rather than a CGI argument).
>
> Then, wherever the user went on the site, the existing session number
> (cart_id) would be passed in, and information for that session would be
> loaded.  Search engines would see the URL's without session ID's, which
> was good for them, and users finding site pages through search engines
> would of course go to pages without having a session already associated
> with them - so new users would always get a new session.
>
>
> Now, it would be great to have that kind of session management for Zope
> and CMF.  It would be even better if cookies were added into the mix, so
> that if no session ID (I'm using the term interchangeably with my legacy
> cart_id) were passed in, the system attempted to set a session cookie.
> If a cookie session ID were present, then that would be used instead of
> the other session method, and cleaner URL's could be used.  Make sense?
>
> When a user logs in, the same session ID can be kept - no need to change
> it because of successful authentication.  No need to wait for a user to
> log in to assign a session ID, either - in fact, in a shopping-type
> application, a user would probably never log in.
>
>
> So, how do I get this to happen?  Is there a product I can install,
> something I can configure?  I've read through _all_ the product
> listings, read all of "The Zope Book", read the CMF sections in "Zope
> web application construction kit" book, searched through what I could
> find on the zope.org site, through the past few months of the CMF
> mailing list, and through reading material suggested to
> session-inquisitive mailing list posters.  I've read the help on
> "Session Data Manager", but I don't think this has anything to do with
> CMF.  I haven't a clue where to start.  Someone referred to the
> "sessions" link in the control panel or in the root of my CMF site, but
> I can't find it.  There may well be something up that just didn't look
> like it would work based on the Install notes that I missed, or that I
> didn't realize could somehow be hooked into the CMF.
>
> I confess one more thing: I don't know Python, although I'm about to
> start reading a tutorial.  If I have time today :)
>
> Basically, I guess I want to a) replace the cookie-based session
> mechanism in the current CMF package with a non-cookie-based one,
> optimally with the either/or model I described above, and b) make some
> kind of special DTML var tag that would do the "right thing" to all my
> links if appropriate.  Plus make sure the links generated by my skin are
> written appropriately - perhaps overwrite "getURL" (I don't seem to have
> documentation on that one)?
>
> Has this been done already?  Is anyone interested enough to help with
> this?  Having sessions (and CMF) work without cookies is extremely
> important to me; I need for this to work before I proceed much further,
> so I'm willing to help if necessary.
>
> Many thanks,
> Am Thomas
> --
> Virtue of the Small
> http://virtueofthesmall.com
> am@virtueofthesmall.com
>
>
> _______________________________________________
> Zope-CMF maillist  -  Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
>
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
requests
>