1
Zope3 Session Implementation
2
============================
8
Session data is maintained on the server. This gives a security
9
advantage in that we can assume that a client has not tampered with
10
the data. However, this can have major implications for scalability
11
as modifying session data too frequently can put a significant load
12
on servers and in extreme situations render your site unusable.
13
Developers should keep this in mind when writing code or risk
14
problems when their application is run in a production environment.
16
Applications requiring write-intensive session implementations (such
17
as page counters) should consider using cookies or specialized
18
session implementations.
20
Sessions allow us to fake state over a stateless protocol - HTTP.
21
We do this by having a unique identifier stored across multiple
22
HTTP requests, be it a cookie or some id mangled into the URL.
25
The `IClientIdManager` Utility provides this unique id. It is
26
responsible for propagating this id so that future requests from
27
the client get the same id (eg. by setting an HTTP cookie). This
28
utility is used when we adapt the request to the unique client id:
30
>>> client_id = IClientId(request)
32
The `ISession` adapter gives us a mapping that can be used to store
33
and retrieve session data. A unique key (the package id) is used
34
to avoid namespace clashes:
36
>>> pkg_id = 'products.foo'
37
>>> session = ISession(request)[pkg_id]
38
>>> session['color'] = 'red'
40
>>> session2 = ISession(request)['products.bar']
41
>>> session2['color'] = 'blue'
52
The actual data is stored in an `ISessionDataContainer` utility.
53
`ISession` chooses which `ISessionDataContainer` should be used by
54
looking up as a named utility using the package id. This allows
55
the site administrator to configure where the session data is actually
56
stored by adding a registration for desired `ISessionDataContainer`
57
with the correct name.
59
>>> from zope.component import getUtility
60
>>> sdc = getUtility(ISessionDataContainer, pkg_id)
61
>>> sdc[client_id][pkg_id] is session
63
>>> sdc[client_id][pkg_id]['color']
66
If no `ISessionDataContainer` utility can be located by name using the
67
package id, then the unnamed `ISessionDataContainer` utility is used as
68
a fallback. An unnamed `ISessionDataContainer` is automatically created
69
for you, which may replaced with a different implementation if desired.
71
>>> ISession(request)['unknown'] \
72
... is getUtility(ISessionDataContainer)[client_id]['unknown']
75
The `ISessionDataContainer` contains `ISessionData` objects, and
76
`ISessionData` objects in turn contain `ISessionPkgData` objects. You
77
should never need to know this unless you are writing administrative
78
views for the session machinery.
80
>>> ISessionData.providedBy(sdc[client_id])
82
>>> ISessionPkgData.providedBy(sdc[client_id][pkg_id])
85
The `ISessionDataContainer` is responsible for expiring session data.
86
The expiry time can be configured by settings its `timeout` attribute.
88
>>> sdc.timeout = 1200 # 1200 seconds or 20 minutes
94
Data stored in the session must be persistent or picklable.
96
>>> session['oops'] = open(__file__)
97
>>> import transaction
98
>>> transaction.commit()
99
Traceback (most recent call last):
101
TypeError: can't pickle file objects
104
>>> transaction.abort()
110
Session data may be accessed in page template documents using
113
<span tal:content="request/session:products.foo/color | default">
119
<div tal:define="session request/session:products.foo">
120
<script type="text/server-python">
122
session['count'] += 1
127
<span tal:content="session/count" />