[Zope] REQUEST parameters needed throughout website

Chris McDonough chrism@zope.com
09 Sep 2002 12:59:16 -0400


When a user logs in you want to clear the SESSION object related to his
browser.  The simplest way to do this is to use a cookie-based user
folder and cause the session to be cleared as a result of the user
submitting a login form (read the Sessions chapter and look for
"invalidate" to see how to clear the session).

The stock Zope user folder uses basic HTTP authentication and is
therefore not suitable for this purpose.  This is an unfortunate
limitation of basic authentication.  Basic HTTP authentication is not
suitable because there is no way to "hook" a login (the programmer never
gets the chance to "do something" when a user logs in).  OTOH,
cookie-based user folders are suitable for this purpose because
typically you will have the chance to display a custom login form and
process its results yourself.  During this processing, on successful
login, invalidate the session object, and you'll have solved your
problem.

For a list of user management-related Products, many of which are user
folder implementations that you might be able to use, consult
http://www.zope.org/Products/user_management .

On Mon, 2002-09-09 at 12:18, Stacy Roberts Ladnier wrote:
> I know the session was created for this reason. However, when storing
> parameters in the session, we experience problems when a user switches login
> names in the same browser session. Parameters that exist under one user name
> are persisted over to the new user name and this should not be allowed to
> happen. When it does, certain options the user can choose, will cause the
> search mechanism to completely crash and write null values to the database.
> This then prevents the user from using our site until we detect the Null value
> and delete it. As you can imagine, this is a MAJOR problem that has to be
> avoided at all costs. When parameters are passed in the REQUEST object, this
> problem is resolved.
> 
> Right now, we recreate the REQUEST object in each page. This becomes code
> intensive and a management nightmare. When one parameter is added, every
> single page must be touched. I would love to use the session, but the
> resulting problems prevent me from utilizing it. I need a way to persist the
> parameters throughout my search capabilities, but wipe the slate clean when a
> user logs in as a different user. I tried this out with the session, but a new
> session is not created unless I open a new browser instance and then log in in
> this new instance.
> 
> If I can find a way to force a new SESSION object to start when a user clicks
> a certain link, my problem may be solved. I know I ABSOLUTELY want to avoid
> passing 50 parameters in the URL string. That is so UGLY.
> 
> You mention that I can, in fact, remove the arguments from the session. Can
> you please explain how I can do this in detail? I want the transition to ZOPE
> to bring about some valuable improvements to our site and the maintenace of
> our code.
> 
> Stacy
> 
> Heimo Laukkanen wrote:
> 
> > Subject: Re: [Zope] REQUEST parameters needed throughout website Cc:
> > zope@zope.org To: "Stacy Roberts Ladnier" <Stacy.Roberts@noaa.gov>
> > From: Jens Vagelpohl <jens@zope.com>
> >
> >  > user's search. I DO NOT want to use the session to store the parameters
> >  > in because this will cause problems if a certain course of action is
> >  > taken.
> > ...
> >  > Please understand I am very new to Zope. My company is trying to
> >  > transition from Java and JSP to Zope and Python. I need to make sure
> >
> > Since you say:
> >    a) you are new to Zope
> >    b) you don't want to use sessions
> >    c) you need to do something that is exactly what sessions are for,
> >
> > I'll have to ask - what are the conditions and the course of action
> > that makes sessions cause problems? And whatkind of problems they are
> > - and is the reason for these problems sessions or something else?
> >
> > And as a reminder:
> >
> > 1) HTTP is a sessionless protocol - there is no such thing as a
> > session in the protocoll
> >
> > 2) Passing variables or arguments happens usually either in the URL (
> > http://xx.xx.xx?foo=bar&dinner=spam ),as a form field or in a cookie.
> >
> > 3) Since passing multiple arguments all the time is stupid - systems
> > for storing the data with a session key have been developed to
> > practicly all the web development platform. Instead of passing all the
> > arguments you just pass the session key. And then the session key
> > gives you access to all your arguments. And when you are done, you can
> > just remove the arguments or kill the session.
> >
> > Now.  Is the session mechanism really the problem?
> >
> > -huima