Sessions and Users, was: Re: [Pangloss] [RFC] OpenFrame AppKit ideas
Chris Croome
chris at webarchitects.co.uk
Tue Apr 8 11:01:07 BST 2003
Hi
On Tue 08-Apr-2003 at 09:47:01AM +0100, Steve Purkis wrote:
>
> On Monday, April 7, 2003, at 04:03 pm, Jean-Michel Hiver wrote:
>
> >URLs? How are you going to get the URLs to be automagically
> >appended with some kind of sessionIDs?
>
> However you like, really. Maybe you'd pass a URI generator in to
> the template? But how isn't so important at this stage as
> recognizing the fact that someone may want to subclass the
> SessionLoader to do it is.
>
> >Plus, I think a session model based on the user name (when you do
> >authentication via HTTP authentication) would also be a good
> >idea.
>
> There's no reason you can't sub-class SessionLoader to load the
> user from $ENV{REMOTE_USER} as needed. But I think working with
> users should be done by the app developer as they're bound to be
> different for each application.
I don't fully follow all this but I don't see the need for sessions,
for example if we want anon access for reading and usernames for
writing something like this can be done (anyone can GET but SSL and
a Username and Password and required to POST):
<Location /pangloss>
Order allow,deny
Allow from all
# Limit write permission to list of valid users.
<LimitExcept GET HEAD>
# Require SSL connection for password protection.
SSLRequireSSL
AuthType Basic
AuthName "Authorization Realm"
AuthUserFile /home/foo/.htpasswd
Require valid-user
</LimitExcept>
</Location>
GET should never change state on the server side, that should be
limited to POST (since we are not going to be using WebDAV it is
this simple...).
But perhaps I'm missing something -- what is the idea behind
sessions?
Chris
--
Chris Croome <chris at webarchitects.co.uk>
web design http://www.webarchitects.co.uk/
web content management http://mkdoc.com/
More information about the Pangloss
mailing list