[Seaside] Seaside Sessions in a Blog Server

Hernán Morales Durand hernan.morales at gmail.com
Sat Oct 17 18:39:13 UTC 2009

Hi Karsten

2009/10/17 Karsten <karsten at heeg.de>:
> Hi,
> there's this constant example of building a blog server with whatever web
> framework. If you try to build a real webserver in Seaside you've got to
> handle sessions somewhat properly. If you view a post and have a comment
> input field then the session will be started when you open the post. After
> reading through a very lengthly post the session is probably times out.
> After writing a lengthly comment it's certainly timed out. If the user
> submits the comment after the session is timed out, his comment is lost.

This situation is very common in mobile environments, when the client
moves at places outside the network connectivity range, and then need
to reconnect many times.

> The easiest way to handle this is to set the session timeout to maybe a day
> or so. However, i'd rather use a short session time to not have tons of
> sessions in the image.

And another good reason for keep short session times is to prevent
session hijacking. The longer session duration, the longer chances for
a succesful sniffing.

> What would be the right way to handle that kind of
> situations?

I would do this:

-Separate a session in two objects: One for the proper Session
Duration, and another one for the Data of the session.
-Assign to the Session Duration object a common duration for a valid session.
-Assign to the Session Data object a longer duration (it could be
navigational information or data in forms).

This way, when a client session expires, the data entered would still
there available. Of course you will need two identifiers and link them
to do a valid re-authorization.

How difficult would be to do that in Seaside?



More information about the seaside mailing list