[Seaside] Seaside Sessions in a Blog Server
Hernán Morales Durand
hernan.morales at gmail.com
Sat Oct 17 18:39:13 UTC 2009
Hi Karsten
2009/10/17 Karsten <karsten at heeg.de>:
> Hi,
>
> there's this constant example of building a blog server with whatever web
> framework. If you try to build a real webserver in Seaside you've got to
> handle sessions somewhat properly. If you view a post and have a comment
> input field then the session will be started when you open the post. After
> reading through a very lengthly post the session is probably times out.
> After writing a lengthly comment it's certainly timed out. If the user
> submits the comment after the session is timed out, his comment is lost.
>
This situation is very common in mobile environments, when the client
moves at places outside the network connectivity range, and then need
to reconnect many times.
> The easiest way to handle this is to set the session timeout to maybe a day
> or so. However, i'd rather use a short session time to not have tons of
> sessions in the image.
And another good reason for keep short session times is to prevent
session hijacking. The longer session duration, the longer chances for
a succesful sniffing.
> What would be the right way to handle that kind of
> situations?
I would do this:
-Separate a session in two objects: One for the proper Session
Duration, and another one for the Data of the session.
-Assign to the Session Duration object a common duration for a valid session.
-Assign to the Session Data object a longer duration (it could be
navigational information or data in forms).
This way, when a client session expires, the data entered would still
there available. Of course you will need two identifiers and link them
to do a valid re-authorization.
How difficult would be to do that in Seaside?
Cheers
Hernán
More information about the seaside
mailing list