[Zope-dev] CST not really... :-)

[Oliver Bleutgen]

> Hi everyone,


> But we think a really good CORE session tracking should be transparent
> and independent of this cookies/forms options. This means be able
> to install zope and have somewhere an option to turn on/off
> zope "really core session tracking". This means zope
> having the ability to do sessions using http1.1 persistent connections
> which
> medusa allready implements and also most current
> browsers. Then no need to generate Tokens and pass them with cookies
> or forms, there is allready a unique identifier between the server
> and the client and that is in medusa socket_map.

Nope,
persistent connections are _not_ unique.
RFC 2616 proposes that the client SHOULD implement
no more then 2 persistent connections (i.e. it can use more
than 1). And nowhere do I find a guarantee that the requests
from the client have to use always the same persistent connection
- i.e. they may close that connection and reopen another one.
And how does the client know when to close the connection -
it surely will not hold the connection open as long as the
browser runs. So how does one handle the user which goes 
to a side, takes a break of 10 minutes and the continues 
there?

Another data-point, there is an rfc, 2965, which explicitly
deals with HTTP state management, and it doesn't mention
http/1.1 persistent connections I think. 



cheers,
oliver