[Seaside] session and cookies?

Dave Bauer dave at thedesignexperience.org
Thu Aug 30 16:54:34 UTC 2007 

On 8/30/07, Leandro Perez <leandromperez at gmail.com> wrote:
> Hi list!,
> Please consider this situation:
> A user enters the site (a WASession is created) then the user logs in (a
> User model object holding some information is stored in the session, in an
> instance variable), does some work, and:
>     1-leaves the page, i.e. he goes to another web site
>     2-close the tab holding the page
>     3-close the browser
>     4-logs out and then leave.
>
> Whenever the user re-enters the site, another WASession is created (AFAIK)
> which hasn't got the user information (the user instance variable is nil).
> This is ok in the case 4, because no user is logged in. But in the cases
> 1-3,  when the user comes back, the system should recognize him and his
> information should be available in the current session because, actually, he
> is still logged in.
>
> If the original session hasn't expired, it could be reassigned so the user
> information is available. Another solution would be working with another
> session but setting its user variable to the one the original session had.
>
> so.. the question would be..
> What is the best way to achieve this, cookies maybe?
> If so, should I consider session-only-cookies vs permanent cookies? (because
> of the difference between cases 1,2 and case 3)
>

There are two things to consider here.

1) you want to recognize the user, if they have previously logged in
and clicked some sort of "remember my login" box.
2) you don't want to have the session last forever in case there is a
login on a shared computer

So you need a session cookie that expires after say 15 mins. On every
request if the cookie has not expired, renew the timout on the cookie
for another 15 mins. After 15 mins you could recognize the user, but
ask for the user to enter their password again, to confirm their
identity. It is usually friendly to allwo the user to access public
resources without requiring them to type the password again. You'd
just ask for the password if they attempted to view some private data,
or perform an action.

Dave
> Thanks a lot,
> Leandro
>
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>


-- 
Dave Bauer
dave at solutiongrove.com
http://www.solutiongrove.com

More information about the seaside mailing list