[Seaside] session and cookies?

John Thornborrow john at pinesoft.co.uk
Thu Aug 30 17:14:08 UTC 2007 

In my opinion, the best practice for "remember me" functionality, is to
store the encrypted/hashed username and password on the cookie, then
when the user returns to the site, try and log them in after decrypting
or comparing hash values, instead of having the user enter them manually.

Everything else should be instanced as per a "normal" login from then
on. If you have session specific information, then the session has
ended.. thus the new session will lose that information.

However, it is possible to store the session ID in the users cookie, so
if the session has not expired, and you override the cookie timeout, it
would be possible for the user to return to the same session (and also
possible to return to the same session from a different machine - so be
warned of hijacking!)

Hope this helps,

John

www.pinesoft.co.uk

Leandro Perez wrote:
> Hi list!,
> Please consider this situation:
> A user enters the site (a WASession is created) then the user logs in (a
> User model object holding some information is stored in the session, in an
> instance variable), does some work, and:
>     1-leaves the page, i.e. he goes to another web site
>     2-close the tab holding the page
>     3-close the browser
>     4-logs out and then leave.
> 
> Whenever the user re-enters the site, another WASession is created (AFAIK)
> which hasn't got the user information (the user instance variable is nil).
> This is ok in the case 4, because no user is logged in. But in the cases
> 1-3,  when the user comes back, the system should recognize him and his
> information should be available in the current session because, actually, he
> is still logged in.
> 
> If the original session hasn't expired, it could be reassigned so the user
> information is available. Another solution would be working with another
> session but setting its user variable to the one the original session had.
> 
> so.. the question would be..
> What is the best way to achieve this, cookies maybe?
> If so, should I consider session-only-cookies vs permanent cookies? (because
> of the difference between cases 1,2 and case 3)
> 
> Thanks a lot,
> Leandro
> 
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside


Pinesoft Computers are registered in England, Registered number: 2914825. Registered office: 266-268 High Street, Waltham Cross, Herts, EN8 7EA



This message has been scanned for viruses by BlackSpider MailControl - www.blackspider.com

More information about the seaside mailing list