[Seaside] Seaside Sessions in a Blog Server

[Hernán Morales Durand]

Hi Karsten

2009/10/17 Karsten <karsten at heeg.de>:
> Hi,
>
> there's this constant example of building a blog server with whatever web
> framework. If you try to build a real webserver in Seaside you've got to
> handle sessions somewhat properly. If you view a post and have a comment
> input field then the session will be started when you open the post. After
> reading through a very lengthly post the session is probably times out.
> After writing a lengthly comment it's certainly timed out. If the user
> submits the comment after the session is timed out, his comment is lost.
>

This situation is very common in mobile environments, when the client
moves at places outside the network connectivity range, and then need
to reconnect many times.

> The easiest way to handle this is to set the session timeout to maybe a day
> or so. However, i'd rather use a short session time to not have tons of
> sessions in the image.

And another good reason for keep short session times is to prevent
session hijacking. The longer session duration, the longer chances for
a succesful sniffing.

> What would be the right way to handle that kind of
> situations?

I would do this:

-Separate a session in two objects: One for the proper Session
Duration, and another one for the Data of the session.
-Assign to the Session Duration object a common duration for a valid session.
-Assign to the Session Data object a longer duration (it could be
navigational information or data in forms).

This way, when a client session expires, the data entered would still
there available. Of course you will need two identifiers and link them
to do a valid re-authorization.

How difficult would be to do that in Seaside?

Cheers

Hernán