[Zope] Core Session Tracking questions

Chris McDonough chrism@digicool.com
Fri, 16 Mar 2001 13:21:00 -0500 

> I have been thinking about this... There are several cases in which a site
> needs to tack user information. In some cases, the site needs to store
> security-sensitive user info locally... Your current CST code fits that
bill
> very nicely.

Geez.  It does?  It's not very secure... nobody should be using any session
manager to store sensitive data for very long.  For a long discussion about
this, see the zope ml archives around November of last year.  If you mean
however, that you store it in a session data object temporarily until it is
written to a user-related datastore, this is an acceptable risk for lots of
folks.

> But often, you just want to store user preferences. These preferences need
> not be secure so can be stored on the client... And you want to keep those
> for as long as someone visits your site, so storing it on the server is
> actually troublesome. To fill this need, people often manually set
cookies.

Yes... we have this problem on Zope.org.  There are thousands of orphaned
accounts.

> But I hate manually setting cookies. I often bump into problems when I try
to
> do so. On the other hand, I love the simplicity of CST. And I wonder:
could
> CST not be used to accomplish both goals via the development of a
> cookie-based session data manager?

That's an interesing idea.  Except that cookies are usually limited to ~
4000 characters on the client.  You can't stuff much data into 4000
characters.  It'd be pretty neat, however.  Care to try to implement it?
;-)  If not Jerome, anyone else?

> You would have a data manager which stores all information client-side via
> cookies. The data could be stored much longer, months instead of hours.
And
> it would not impact resources, RAM or filesystem. I would not use this to
> store security-sensitive data about logged-in users, but I would
definitely
> use it to remember which skin an anonymous user preferred.
>
> Is that at all possible? Will we see something like this someday? Just
> wondering. Thanks for CST, it's great. Cheers,

Not from me in the near future.  I'm trying desperately to get another CST
release out the door with the features it already has.  ;-)