[Zope] Re: Session support (was: Object serialization between different pages)

[Chris McDonough]

Hi Tom,

> I just read your proposal and I think it would be nice to have such a
> standard product in Zope. Certianly since lot's of these 'shopping carts'
> websites are popping up on the internet.
> I've however one question, which is more generally to e-commerce products
> and which perhaps give this product this little extra then others. At the
> moment all? these e-commerce products need 'cookies'.

To which ecommerce products are you referring?

> This implies that the
> user needs to have this feature enabled. People who don't want cookies or
> just don't know how to set it, will not be able to 'shop'.
> Now, isn't there a possible solution for?

Yes, url-rewriting.  I even saw one product that went as far as too hook
into DNS to dynamically create "fake" hosts on-the-fly to use as a session
key.

> Perhaps not that good as cookies,
> but it can be a solution. I believe cookies are placed on the client
> computer and that they can stay alive or be removed after a certain time.
> So, isn't it possible to mimic these cookies on the server site (while the
> session is active)?

Mimic, no... not permanently, unless a rewritten URL is bookmarked.  The
server needs some indication on a request as to what session the client
belongs to.  Cookies provide this more or less transparently, while
URL-rewriting is slightly more intrusive.

> The only problem I see is that we need to be sure to
> connect the correct server-file with the correct user. But isn't this
> possible with information out of the HTTP request?

Yes, a cookie or a URL (or POST variables) with a session key embedded
somewhere.

> This way we create a
> file on the server (with a name which uniquely identifies the client) or
> zope-object (but this gives the problem that the Zope database will
rapidly
> grow)

A session manager which directly writes files onto the filesystem isn't a
scalable solution (sessions cannot be shared across ZEO clients).  This is
why a nonundoable storage is a related deliverable in this proposal, as it
can be shared from ZEO and mounted by several ZEO clients.

> when the user starts shopping. When shopping is finished the file is
> removed (and eg some information is send to another place sop that people
> know something is ordered). The session manager itself checks if certain
> session are abandoned and if one is not active (for 20 minutes) it deletes
> the file).

Yep, there are a few different kinds of garbage collection schemes we can
use, this is one.

> The contents of the file are the same as what you would place in
> cookies.

A cookie will almost always hold a session id, and maybe other metadata, but
probably never any data used directly by the app.  The app will go through
the session manager, and won't need to know anything about the contents of
the cookie.

> If the product would have the possibility to have something like this
extra
> (ie. you can manually choose to have a client or server cookie (or you let
> the product decide it automatically ie cookies on -> client cookie
> otherwise server cookie)) this would be a nice thing for Zope againts is
> competitors.

There is no such thing as a server cookie, but a similar
failover-to-URL-rewriting scheme can be made available to developers.