From: Lukas L. <al...@in...> - 2005-01-23 02:08:35
|
Hello,=20 I'm thinking about authorization handling on my pages. I'd like to ask some= =20 questions about session handling in spyce. Because my pages will be bigger,= =20 I'm creating UserSession [for authorization handling] and Kernel [for "core= =20 page" handling] modules.=20 1) "Garbage collection" How are server cookies (/tmp/spyxxx) deleted? Is this automatically handled= by=20 spyce?=20 2) Manually deletion of the server cookie.=20 I'd like to be able to "destroy" session - with it's cookie.=20 Situation: On the page, I create an auto session. If it's empty (new), I se= t=20 user as unlogged (in Session module). When user not log in, i will not send= =20 out session Id etc (i do not wan't to handle sessions for anonymous users,= =20 because I'm using mod_rewrite and because some links has to be permanent fo= r=20 "outer world", I do not like to have session ID on the end of URI).=20 On the end of the script (when I always call kernel.web_end() method), I'd= =20 like to delete server cookie from server, as normally one cookie will be=20 generated for each users request).=20 3) server cookie name I'm not sure if [\d]{4}_[\d]{6} cookie name is variable/safe enough. I'd li= ke=20 to generate longer and safer names (as, i. e. php do).=20 Thanks for any hints.=20 Regards,=20 =2D-=20 Lukas "Almad" Linhart [:: http://www.Include.cz/ ::] [:: Including Your wishes ::] [:: PGP/GNUPg key: http://download.almad.net/pubkey.asc ::] |
From: Rimon B. <rim...@co...> - 2005-01-27 16:21:16
|
Hi Lukas, > 1) "Garbage collection" How are server cookies (/tmp/spyxxx) deleted? > Is this automatically handled by spyce? The automatic sessions have an expiration time. Each time the session module is invoked it randomly decides whether to perform a garbage collection sweep. A sweep checks all sessions and removes that have expired. The benefit of this is: a - cost of garbage collection is low as it does not happen on every session load b - don't need a separate cleaner process. The cost, of course, is that sessions will hang around until the next random sweep time. In expectation, everything works just fine. > 2) Manually deletion of the server cookie. > I'd like to be able to "destroy" session - with it's cookie. session.delete(id) > 3) server cookie name > I'm not sure if [\d]{4}_[\d]{6} cookie name is variable/safe enough. I'd like > to generate longer and safer names (as, i. e. php do). The session identifiers are returned by session handlers. You can define your own: just subclass session.sessionHandler. There are already implementations for directory-based (individual files in a directory), hash-file-based (DBM) and user callback (provide your own functions) session handlers. All the best, Rimon. |