21. Session Management

This chapter describes Zope’s built-in Session Management.

21.1. Terminology

21.1.1. Here’s a mini-glossary of of key terms used within this document:

Web session
a series of HTTP requests from the same browser to the same server during that browser’s execution life-span.
Browser Id
the string or integer used to represent a single anonymous visitor to the part of the Zope site managed by a single browser id manager. E.g. “12083789728”.
Browser Id Name
the name which is looked for in places enumerated by the currently configured browser id namespaces. E.g. “_ZopeId”.
Browser Id Namespaces
the browser id name will be found in one of three possible places (“namespaces”): in form elements and/or query strings (aka “form”), in a cookie, or in the URL.
Session Data Object
an transient data object that is found by asking a session data container for the item with a key that is the current browser id value.
Session Id
the identifier for a session data object. This is different than the browser id. Instead of representing a single - visitor- , it represents a single - visit- .

21.2. Session Managers

Web browsers communicate with Web Servers using HTTP. HTTP does not provide tools that can track users and data in the context of a web session. Zope’s session management works-around the problem: it provides methods able to track site visitor activity. Applications like “shopping carts” use session management for this reason.

Zope’s session management makes use of name-spaces like cookies, HTTP form elements, and/or parts of URLs “in the background” to keep track of user sessions. Which of these name-spaces are used is configurable using the browser_id manager (described later).

Session data is valid for the duration of a configurable inactivity timeout value or browser shut-down, which ever comes first. Zope’s session management keeps track of anonymous users as well as those who have Zope login accounts.

Important! Data maintained by Zope’s session management is no more secure than HTTP itself. A session is secure if and only if:

  • the connection between a browser and Zope uses strong encryption (SSL normally).
  • precautions specific to the security exposure are taken.

It’s clear that you should not store sensitive information like credit card numbers in a session container unless you understand the vulnerabilities. See the section entitled Security Considerations near the end of this document.

It is advisable to use sessions only on pages where they are necessary because of a performance impact on your application. The severity varies depending on usage and configuration. A good “rule of thumb” is to account for a 5% - 10% speed-of-execution penalty.

Some hints:

  • Do not use SESSION to store REQUEST variables. They are already available in the REQUEST.
  • Do not store any data in SESSION that you can get from the Zope API. Its faster (and more secure) to get user Id from Zope’s Security Manager then it is from the SESSION object.

21.3. Session Manager Components

21.3.1. Browser Id Manager

This component determines a remote client’s “browser id”, which uniquely identifies a particular browser. The browser id is encoded in a form/querystring variable, a cookie variable, or as part of the URL. The browser id manager examines cookies, form and querystring elements, and URLs to determine the client’s browser id. It can also modify cookies and URLs automatically in order to differentiate users between requests.

  • There may be more than one browser id manager in a Zope installation, but commonly there will only be one. Application developers will generally not talk directly to a browser id manager. Instead, they will use the Transient Data Object (REQUEST.SESSION) which delegates some calls to a browser_id manager.

  • Browser id managers have “fixed” Zope ids so they can be found via acquisition by session data managers. Browser id managers also have interfaces for encoding a URL with browser id information and performing other utility functions.

  • The default sessioning configuration provides a Browser Id Manager as the:

    /browser_id_manager object
    

21.3.2. Session Data Manager

This component is responsible for handing out session data to callers. When session data is required, the session data manager:

  • talks to a browser id manager to determine the current browser id-
  • creates a new session data object or hands back an existing session data object based on the browser id.
  • Developers generally do not directly use methods of session data managers to obtain session data objects. Instead, they rely on the built-in REQUEST.SESSION object, which represents the current session data object related to the user’s browser id.

  • The session data object has an identifier distinct from the browser id. This identifier represents a single user session with the server (unlike the browser id, which represents a single browser). Many session data managers can use one browser id manager. Many session data managers can be instantiated on a single Zope installation. Different session data managers can implement different policies related to session data object storage (e.g. to which session data container the session data objects are stored).

  • The default sessioning configuration provides a Session Data Manager named:

    /session_data_manager
    

21.3.3. Transient Object Container

Also known as Session Data Containers, these components actually hold information related to sessions.

  • Currently, a Transient Object Container is used to hold a special “transient data object” instance for each ongoing session. Developers will generally not interact with transient data containers. Transient data containers are

  • responsible for expiring the session data objects which live within them.

  • The default sessioning configuration provides a Transient Object Container named:

    /temp_folder/session_data
    

    The session data objects in the default:

    session_data
    

    Transient Object container are lost each time Zope is restarted.

21.3.4. Transient Data Object

Also known as the Session Data Object. These are the objects which are stored in session data containers and managed by transient data managers.

  • Developers interact with a transient data object after obtaining one via REQUEST.SESSION or from a session data manager directly. A single transient data object actually stores the useful information related to a single user’s session.
  • Transient data objects can be expired automatically by transient data containers as a result of inactivity, or they can be manually invalidated in the course of a script.

21.4. Using Session Data

You will typically access session data through the:

SESSION

attribute of the REQUEST object. Session data objects are like Python dictionaries: they can hold almost any kind of object as a key or a value. It’s likely you will almost always use “normal” Python objects such as lists, dictionaries, strings, and numbers.

Here’s an example of how to work with a session using a Python Script:

## Script (Python) "sessionTest"
secs_per_day=24*60*60
session=context.REQUEST.SESSION
if session.has_key('last view'):
    # The script has been viewed before, since the 'last view'
    then=session['last view']
    now=context.ZopeTime()
    session['last view']=now # reset last view to now
    return 'Seconds since last view %.2f' % ((now - then) * secs_per_day)

# The script hasn't been viewed before, since there's no 'last view'
session['last view']=context.ZopeTime()
return 'This is your first view'

This example shows how to access SESSION data. But it is not a “best practice” example. If performance is an issue, you should not attempt to keep last-accessed time in this manner in a production application because it might slow your application down dramatically and cause problems under high load.

Create a script with this body named sessionTest in your root folder and then click its Test tab. While viewing the output, reload the frame a few times. Note that the script keeps track of when you last viewed it and calculates how long it has been since you last viewed it. Notice that if you quit your browser and come back to the script it forgets you were ever there. However, if you simply visit some other pages and then return within 20 minutes or so, it still remembers the last time you viewed it.

See the Concepts and Caveats section at the end of this document for things to watch out for while accessing Zope’s Session Manager “naively”.

You can use sessions in Page Templates and DTML Documents, too. For example, here’s a template snippet that displays the users favorite color (as stored in a session):

<p tal:content="request/SESSION/favorite_color">Blue</p>

Sessions have additional configuration parameters and usage patterns detailed below.

21.5. Default Configuration

Zope is preconfigured with a default sessioning setup.

The Zope “default” browser id manager lives in the root folder and is named:

browser_id_manager

The Zope “default” session data manager lives in the root folder and is named:

session_data_manager

A “default” transient data container (session data container) is created as:

/temp_folder/session_data

when Zope starts up. The:

temp_folder

object is a “mounted, nonundoing” database that keeps information in RAM, so “out of the box”, Zope stores session information in RAM. The temp folder is a “nonundoing” storage (meaning you cannot undo transactions which take place within it) because accesses to transient data containers are very write-intensive, and undoability adds unnecessary overhead.

A transient data container stores transient data objects. The default implementation the transient data object shipped with Zope is engineered to reduce the potential inherent in the ZODB for “conflict errors” related to the ZODB’s “optimistic concurrency” strategy.

You needn’t change any of these default options to use sessioning under Zope unless you want to customize your setup. However, if you have custom needs, can create your own session data managers, browser id managers, temporary folders, and transient object containers by choosing these items from Zope’s “add” list in the place of your choosing.

21.6. Advanced Development Using Sessioning

21.6.1. Overview

When you work with the REQUEST.SESSION object, you are working with a “session data object” that is related to the current site user.

Session data objects have methods of their own, including methods with allow developers to get and set data. Session data objects are also “wrapped” in the acquisition context of their session data manager, so you may additionally call any method on a session data object that you can call on a session data manager.

21.6.2. Obtaining A Session Data Object

The session data object associated with the browser id in the current request may be obtained via REQUEST.SESSION. If a session data object does not exist in the session data container, one will be created automatically when you reference REQUEST.SESSION:

<dtml-let data="REQUEST.SESSION">
    The 'data' name now refers to a new or existing session data object.
</dtml-let>

You may also use the:

getSessionData()

method of a session data manager to do the same thing:

<dtml-let data="session_data_manager.getSessionData()">
    The 'data' name now refers to a new or existing session data object.
</dtml-let>

A reference to REQUEST.SESSION or:

getSessionData()

implicitly creates a new browser id if one doesn’t exist in the current request. These mechanisms also create a new session data object in the session data container if one does not exist related to the browser id in the current request. To inhibit this behavior, use the create=0 flag to the:

getSessionData()

method. In ZPT:

<span tal:define="data python:context.session_data_manager.getSessionData(create=0)">

Note: create=0 means return a reference to the session or None. create=1 means return a reference if one exists or create a new Session object and the reference.

21.6.3. Modifying A Session Data Object

Once you’ve used REQUEST.SESSION or:

session_data_manager.getSessionData()

to obtain a session data object, you can set key/value pairs of that session data object.

In ZPT:

<span tal:define="data python: request.SESSION">
    <tal:block define="temp python: data.set('foo','bar')">
        <p tal:content="python: data.get('foo')">bar will print here"</p>
    </tal:block>
</span>

An essentially arbitrary set of key/value pairs can be placed into a session data object. Keys and values can be any kinds of Python objects (note: see Concepts and Caveats section below for exceptions to this rule). The session data container which houses the session data object determines its expiration policy. Session data objects will be available across client requests for as long as they are not expired.

21.6.4. Clearing A Session Data Object

You can clear all keys and values from a SESSION object by simply calling its clear() method.

In ZPT:

<span tal:define="dummy python:request.SESSION.clear()"></span>

21.6.5. Manually Invalidating A Session Data Object

Developers can manually invalidate a session data object. When a session data object is invalidated, it will be flushed from the system.

There is a caveat. If you invalidate the session object in a script then you must obtain a fresh copy of the session object by calling getSessionData and not by reference (REQUEST.SESSION).

Here is an example using DTML::

<!-- set a SESSION key and value -->
<dtml-let data="REQUEST.SESSION">
<dtml-call "data.set('foo','bar')

<!-- Now invalidate the SESSION -->
<dtml-call "data.invalidate()">

<!-- But REQUEST.SESSION gives us stale data which is bad.
The next statement will still show 'foo' and 'bar'
<dtml-var "REQUEST.SESSION>

<!-- Heres the work-around: -->
data = session_data_manager.getSessionData()

<!-- Now we get a fresh copy and life is good as 'foo' and 'bar' have gone away as expected -->
<dtml-var data>

Manual invalidation of session data is useful when you need a “fresh” copy of a session data object.

If an “onDelete” event is defined for a session data object, the onDelete method will be called before the data object is invalidated. See a following section for information about session data object “onDelete” and “onAdd” events.

21.6.7. Using Session Data with TAL

Here’s an example of using the session data object with TAL:

<span tal:define="a python:request.SESSION;
                  dummy python:a.set('zopetime',context.ZopeTime())">
    <p tal:content="python: a.get('zopetime')"></p>
</span>

21.6.8. Using Session Data From Python

Here’s an example of using a session data manager and session data object from a set of Python external methods:

import time
def setCurrentTime(self):
    a = self.REQUEST.SESSION
    a.set('thetime', time.time())

def getLastTime(self):
    a = self.REQUEST.SESSION
    return a.get('thetime')

Calling the setCurrentTime will set the value of the current session’s “thetime” key to an integer representation of the current time. Calling the getLastTime external method will return the integer representation of the last known value of “thetime”.

21.6.9. Interacting with Browser Id Data

You can obtain the browser id value associated with the current request:

<dtml-var "REQUEST.SESSION.getBrowserIdManager().getBrowserId()">

Another way of doing this, which returns the same value is:

<dtml-var "REQUEST.SESSION.getContainerKey()">

If no browser id exists for the current request, a new browser id is created implicitly and returned.

If you wish to obtain the current browser id value without implicitly creating a new browser id for the current request, you can ask the browser_id_manager object explicitly for this value with the create=0 parameter:

<dtml-var "browser_id_manager.getBrowserId(create=0)">

This snippet will print a representation of the None value if there isn’t a browser id associated with the current request, or it will print the browser id value if there is one associated with the current request. Using create=0 is useful if you do not wish to cause the sessioning machinery to attach a new browser id to the current request, perhaps if you do not wish a browser id cookie to be set.

The browser id is either a string or an integer and has no business meaning. In your code, you should not rely on the browser id value composition, length, or type as a result, as it is subject to change.

21.6.10. Determining Which Namespace Holds The Browser Id

For some applications, it is advantageous to know from which namespace ( “cookies”, “form”, or “url”) the browser id has been gathered.

It should be noted that you can configure the browser_id_manager (its in Zope root by default) so that it searches whatever combination of namespaces you select.

There are three methods of browser id managers which allow you to accomplish this:

<dtml-if "REQUEST.SESSION.getBrowserIdManager().isBrowserIdFromCookie()">
    The browser id came from a cookie.
</dtml-if>

<dtml-if "REQUEST.SESSION.getBrowserIdManager().isBrowserIdFromForm()">
    The browser id came from a form.
</dtml-if>

<dtml-if "REQUEST.SESSION.getBrowserIdManager().isBrowserIdFromUrl()">
    The browser id came from the URL.
</dtml-if>

The:

isBrowserIdFromCookie()

method will return true if the browser id in the current request comes from the:

REQUEST.cookies

namespace. This is true if the browser id was sent to the Zope server as a cookie.

The:

isBrowserIdFromForm()

method will return true if the browser id in the current request comes from the:

REQUEST.form

namespace. This is true if the browser id was sent to the Zope server encoded in a query string or as part of a form element.

The:

isBrowserIdFromUrl()

method will return true if the browser id in the current request comes from the leading elements of the URL.

If a browser id doesn’t actually exist in the current request when one of these methods is called, an error will be raised.

During typical operations, you shouldn’t need to use these methods, as you shouldn’t care from which namespace the browser id was obtained. However, for highly customized applications, this set of methods may be useful.

21.6.11. Obtaining the Browser Id Name/Value Pair and Embedding It Into A Form

You can obtain the browser id name from a browser id manager instance. We’ve already determined how to obtain the browser id itself. It is useful to also obtain the browser id name if you wish to embed a browser id name/value pair as a hidden form field for use in POST requests. Here’s a TAL example:

<span tal:define="idManager python:request.SESSION.getBrowserIdManager()">
    <form action="thenextmethod">
        <input type=submit name="submit" value=" GO ">
        <input type="hidden" name="name" value="value"
               tal:attributes="name python: idManager.getBrowserIdName();
                               value python: idManager.getBrowserId()">
    </form>
</span>

A convenience function exists for performing this action as a method of a browser id manager named “getHiddenFormField”:

<html>
<body>
  <form action="thenextmethod">
    <input type="submit" name="submit" value=" GO ">
    <dtml-var "REQUEST.SESSION.getBrowserIdManager().getHiddenFormField()">
  </form>
</body>
</html>

When the above snippets are rendered, the resulting HTML will look something like this:

<html>
<body>
  <form action="thenextmethod">
    <input type="submit" name="submit" value=" GO ">
    <input type="hidden" name="_ZopeId" value="9as09a7fs70y1j2hd7at8g">
  </form>
</body>
</html>

Note that to maintain state across requests when using a form submission, even if you’ve got

  • Automatically Encode
  • Zope-Generated URLs With a Browser Id

checked off in your browser id manager, you’ll either need to encode the form “action” URL with a browser id (see “Embedding A Browser Id Into An HTML Link” below) or embed a hidden form field.

21.6.12. Using formvar-based sessioning.

To use formvar-based sessioning, you need to encode a link to its URL with the browser id by using the browser id manager’s:

encodeUrl()

method.

21.6.13. Determining Whether A Browser Id is “New”

A browser id is “new” if it has been set in the current request but has not yet been acknowledged by the client. “Not acknowledged by the client” means it has not been sent back by the client in a request. This is the case when a new browser id is created by the sessioning machinery due to a reference to REQUEST.SESSION or similar as opposed to being received by the sessioning machinery in a browser id name namespace. You can use the:

isBrowserIdNew()

method of a browser id manager to determine whether the session is new:

<dtml-if "REQUEST.SESSION.getBrowserIdManager().isBrowserIdNew()">
    Browser id is new.
<dtml-else>
    Browser id is not new.
</dtml-if>

This method may be useful in cases where applications wish to prevent or detect the regeneration of new browser ids when the same client visits repeatedly without sending back a browser id in the request (such as may be the case when a visitor has cookies “turned off” in their browser and the browser id manager only uses cookies).

If there is no browser id associated with the current request, this method will raise an error.

You shouldn’t need to use this method during typical operations, but it may be useful in advanced applications.

21.6.14. Determining Whether A Session Data Object Exists For The Browser Id Associated With This Request

If you wish to determine whether a session data object with a key that is the current request’s browser id exists in the session data manager’s associated session data container, you can use the:

hasSessionData()

method of the session data manager. This method returns true if there is session data associated with the current browser id:

<dtml-if "session_data_manager.hasSessionData()">
  The sessiondatamanager object has session data for the browser id
  associated with this request.
<dtml-else>
  The sessiondatamanager object does not have session data for
  the browser id associated with this request.
</dtml-if>

The:

hasSessionData()

method is useful in highly customized applications, but is probably less useful otherwise. It is recommended that you use REQUEST.SESSION instead, allowing the session data manager to determine whether or not to create a new data object for the current request.

21.6.16. Using Session onAdd and onDelete Events

The configuration of a Transient Object Container (aka a session data container) allows a method to be called when a session data object is created (onAdd) or when it is invalidated or timed out (onDelete).

The events are independent of each other. You might want an onAdd method but not an onDelete method. You may define one, both or none of the TOC event methods.

Here are examples of the kinds of things Session onAdd and onDelete methods are used to do:

  • The onAdd method can be used to populate a session data object with “default” values before it’s used by application code.
  • The onDelete method can write the contents of a session data object out to a permanent data store before it is timed out or invalidated.

You can manually configure the onAdd and onDelete methods. Click the management tab of ‘temp_foldersession_data. Enter “a physical path” to either a an external method or python script. NOTE: This configuration is only good until the next Zope shutdown because:

\temp_folder\session_data

is in a RAM database, Configure the onAdd and onDelete methods for this data container via the:

zope.conf

configuration file for your Zope instance. This is covered in some detail in Setting Initial Transient Object Container Parameters later in this document.

Note: the onAdd and onDelete events do not raise exceptions if logic in the method code fails. Instead, an error is logged in the Zope event log. In recent versions of Zope, the event.log defaults to Zope-Instance/log/event.log. This is configurable in:

zope.conf

21.6.17. Writing onAdd and onDelete Methods

Session data objects optionally call a Zope method when they are created and when they are timed out or invalidated.

Specially-written Script (Python) scripts can be written to serve the purpose of being called on session data object creation and invalidation.

The Script (Python) should define two arguments, “sdo” and “toc”. “sdo” represents the session data object being created or terminated, and “toc” represents the transient object container in which this object is stored.

For example, to create a method to handle a session data object onAdd event which prepopulates the session data object with a DateTime object, you might write a Script (Python) named:

onAdd

which had function parameters “sdo” and “toc” and a body of:

sdo['date'] = context.ZopeTime()

If you set the path to this method as the onAdd event, before any application handles the new session data object, it will be prepopulated with a key:

date

that has the value of a DateTime object set to the current time.

To create a method to handle a session onDelete event which writes a log message, you might write an External Method with the following body:

from zLOG import LOG, WARNING
def onDelete(sdo, toc):
    logged_out = sdo.get('logged_out', None)
    if logged_out is None:
        LOG('session end', WARNING,
            'session ended without user logging out!')

If you set the path to this method as the onDelete event, a message will be logged if the:

logged_out

key is not found in the session data object.

Note that for onDelete events, there is no guarantee that the onDelete event will be called in the context of the user who originated the session! Due to the “expire-after-so-many-minutes-of-inactivity” behavior of session data containers, a session data object onDelete event initiated by one user may be called while a completely different user is visiting the application. Your onDelete event method should not naively make any assumptions about user state. For example, the result of the Zope call “getSecurityManager().getUser()” in an onDelete session event method will almost surely not be the user who originated the session.

The session data object onAdd method will always be called in the context of the user who starts the session.

For both onAdd and onDelete events, it is almost always desirable to set proxy roles on event methods to replace the roles granted to the executing user when the method is called because the executing user will likely not be the user for whom the session data object was generated. For more information about proxy roles, see the chapter entitled Users and Security.

For additional information about using session onDelete events in combination with data object timeouts, see the section entitled “Session Data Object Expiration Considerations” in the Concepts and Caveats section below.

21.7. Configuration and Operation

21.7.1. Setting the default Transient Object Container Parameters

Click on:

/temp_folder/session_data

and you’ll see options to control inactivity time-outs and the maximum allowable number of Session objects. You can even include paths to python scripts that handle a Session’s after-add and before-delete events.

Because:

/temp_folder/session_data

is stored in a RAM database, it disappears and is recreated after each restart of your Zope server. This means that any changes to parameters will be lost the next time you restart your Zope server.

If you need to permanently alter the default Transient Object Container’s configuration you must edit Zope’s startup configuration file:

zope.conf

Note that additional Transient Object Containers can be instantiated in permanent storage. They are rarely needed. If you do need this its covered in detail later in this document.

Here is the relevant portion of zope.conf:

# Directive: maximum-number-of-session-objects
# Description: An integer value representing the maximum number
#              of subobjects"
# allowable in the '/temp_folder/session_data' transient object container.
#
# Default: 1000
# Example: maximum-number-of-session-objects 10000

# Directive: session-add-notify-script-path
#
# Description:
#     An optional fill Zope path name of a callable object to be set as the
#     "script to call on object addition" of the session_data transient
#     object container created in the /temp_folder folder at startup.
#
# Default: unset
# Example: session-add-notify-script-path /scripts/add_notifier

# Directive: session-delete-notify-script-path
#

# Description:
#     An optional fill Zope path name of a callable object to be set as the
#     "script to call on object deletion" of the session_data transient
#     object container created in the /temp_folder folder at startup.
#
# Default: unset
# Example: session-delete-notify-script-path /scripts/del_notifier

# Directive: session-timeout-minutes
#
# Description:
#     An integer value representing the number of minutes to be used as the
#     "data object timeout" of the '/temp_folder/session_data' transient
#     object container.
#
# Default: 20
# Example: session-timeout-minutes 30

# Directive: session-resolution-seconds
#
# Description:
#    An integer value representing the number of seconds to be used as the
#    "timeout resolution" of the '/temp_folder/session_data' transient
#    object container.
#
# Default: 20
# Example: session-resolution-seconds 60

21.7.2. Instantiating Multiple Browser Id Managers (Optional)

Transient data objects depend on a session data manager, which in turn depends on a browser id manager. A browser id manager doles out and otherwise manages browser ids. All session data managers need to talk to a browser id manager to get browser id information.

You needn’t create a browser id manager to use sessioning. One is already created as a result of the initial Zope installation. If you’ve got special needs, you may want to instantiate more than one browser id manager. Having multiple browser id managers may be useful in cases where you have a “secure” section of a site and an “insecure” section of a site, each using a different browser id manager with respectively restrictive security settings.

In the container of your choosing, select “Browser Id Manager” from the add drop-down list in the Zope management interface. When you add a new browser id manager, the form options available are:

Id
You cannot choose an id for your browser id manager. It must always be “browser_id_manager”. Additionally, you cannot rename a browser id manager. This is required in the current implementation so that session data managers can find session id managers via Zope acquisition.
Title
the browser id manager title.
Browser Id Name
the name used to look up the value of the browser id. This will be the name looked up in the cookies or form REQUEST namespaces when the browser id manager attempts to find a cookie, form variable, or URL with a browser id in it.
Look for Browser Id Name In
choose the request elements to look in when searching for the browser id name. You may choose “cookies”, “Forms and Query Strings”, and “URLs”.

Automatically Encode Zope-Generated URLs With A Browser Id

if this option is checked, all URLs generated by Zope (such as URLs obtained via the absolute_url method of all Zope objects) will have a browser id name/value pair embedded within them. This typically only make sense if you’ve also got the URLs setting of “Look for Browser Id in” checked off.
Cookie Path
this is the path element which should be sent in the browser id cookie.
Cookie Domain
this is the “domain” element which should be sent in the browser id cookie. Leaving this form element blank results in no domain element in the cookie. If you change the cookie domain here, the value you enter must have at least two dots (as per the cookie spec).
Cookie Lifetime In Days
browser id cookies sent to browsers will last this many days on a remote system before expiring if this value is set. If this value is 0, cookies will persist on client browsers for only as long as the browser is open.

Only Send Cookie Over HTTPS

if this flag is set, only send cookies to remote browsers if they’re communicating with us over https. The browser id cookie sent under this circumstance will also have the secure flag set in it, which the remote browser should interpret as a request to refrain from sending the cookie back to the server over an insecure (non-https) connection. NOTE: In the case you wish to share browser id cookies between https and non-https connections from the same browser, do not set this flag.

After reviewing and changing these options, click the “Add” button to instantiate a browser id manager. You can change any of a browser id manager’s initial settings by visiting it in the management interface.

21.7.3. Instantiating A Session Data Manager (Optional)

After instantiating at least one browser id manager, it’s possible to instantiate a session data manager. You don’t need to do this in order to begin using Zope’s sessioning machinery, as a default session data manager is created as:

/session_data_manager

You can place a session data manager in any Zope container,as long as a browser id manager object named:

browser_id_manager

can be acquired from that container. The session data manager will use the first acquired browser id manager.

Choose “Session Data Manager” within the container you wish to house the session data manager from the “Add” drop-down box in the Zope management interface.

The session data manager add form displays these options:

Id
choose an id for the session data manager
Title
choose a title for the session data manager
Transient Object Container Path

enter the Zope path to a Transient Object Container in this text box in order to use it to store your session data objects. Note: session manager’s should not share transient object paths. This is an example path:

Zope transient object container is:

/MyTransientSessionFolder

After reviewing and changing these options, click the “Add” button to instantiate a session data manager.

You can manage a session data manager by visiting it in the management interface. You may change all options available during the add process by doing this.

21.7.4. Instantiating a Transient Object Container

The default transient object container at:

/temp_folder/session_data

stores its objects in RAM, so these objects and their data disappear when you restart Zope.

If you want your session data to persist across server reboots, or if you have a very large collection of session data objects, or if you’d like to share sessions between ZEO clients, you will want to instantiate a transient data container in a more permanent storage.

A heavily-utilized transient object container should be instantiated inside a database which is nonundoing! Although you may instantiate a transient data container in any storage, if you make heavy use of an external session data container in an undoing database (such as the default Zope database which is backed by “FileStorage”, an undoing and versioning storage), your database will grow in size very quickly due to the high-write nature of session tracking, forcing you to pack very often. You can “mount” additional storages within the zope.conf file of your Zope instance. The default temp_folder is mounted inside a TemporaryStorage , which is nonundoing and RAM-based. There are other nonundoing storages, such as BerkeleyStorage, although none quite as well-supported as TemporaryStorage.

Here are descriptions of the add form of a Transient Object Container, which may be added by selecting “Transient Object Container” for the Zope Add list.:

Special note: When you add a transient object container to a non-RAM-based storage, unlike the the default transient objects contained in temp_folder, these instances of TOC maintain their parameter settings between Zope Restarts. Importantly, they do not read zope.conf.
Id
the id of the transient object container
Title (optional)
the title of the transient object container
Data object timeout in minutes
enter the number of minutes of inactivity which causes a contained transient object be be timed out. “0” means no expiration.
Maximum number of subobjects
enter the maximum number of transient objects that can be added to this transient object container. This value helps prevent “denial of service” attacks to your Zope site by effectively limiting the number of concurrent sessions.
Script to call upon object add (optional)
when a session starts, you may call an external method or Script (Python). This is the Zope path to the external method or Script (Python) object to be called. If you leave this option blank, no onAdd function will be called. An example of a method path is /afolder/amethod.
Script to call upon object delete (optional)
when a session ends, you may call an external method or Script (Python). This is the Zope path to the external method or Script (Python) object to be called. If you leave this option blank, no onDelete function will be called. An example of a method path is /afolder/amethod.

Multiple session data managers can make use of a single transient object container to the extent that they may share the session data objects placed in the container between them. This is not a recommended practice, however, as it has not been tested at all.

The data object timeout in minutes value is the number of minutes that session data objects are to be kept since their last-accessed time before they are flushed from the data container. For instance, if a session data object is accessed at 1:00 pm, and if the timeout is set to 20 minutes, if the session data object is not accessed again by 1:19:59, it will be flushed from the data container at 1:20:00 or a time shortly thereafter. “Accessed”, in this terminology, means “pulled out of the container” by a call to the session data manager’s getSessionData() method or an equivalent (e.g. a reference to REQUEST.SESSION). See “Session Data Object Expiration Considerations” in the Concepts and Caveats section below for details on session data expiration.

21.7.5. Configuring Sessioning Permissions

You need only configure sessioning permissions if your requirements deviate substantially from the norm. In this case, here is a description of the permissions related to sessioning.

21.8. Concepts and Caveats

21.8.1. Security Considerations

Sessions are insecure by their very nature. If an attacker gets a hold of someone’s browser id, and if they can construct a cookie or use form elements or URL elements to pose as that user from their own browser, they will have access to all information in that user’s session. Sessions are not a replacement for authentication for this reason.

Ideally, you’d like to make certain that nobody but the user its intended for gets a hold of his browser id. To take steps in this direction, and if you’re truly concerned about security, you will ensure that you use cookies to maintain browser id information, and you will secure the link between your users and your site using SSL. In this configuration, it is more difficult to “steal” browser id information as the browser id will not be evident in the URL and it will be very difficult for attackers to “tap” the encrypted link between the browser and the Zope site.

There are significant additional risks to user privacy in employing sessions in your application, especially if you use URL-based or formvar-based browser ids. Commonly, a browser id is embedded into a form/querystring or a URL in order to service users who don’t have cookies turned on.

For example, this kind of bug was present until recently in a lot of webmail applications: if you sent a mail to someone that included a link to a site whose logs you could read, and the user clicked on the link in his webmail page, the full URL of the page, including the authentication (stored as session information in the URL) would be sent as a HTTP REFERER to your site.

Nowadays all serious webmail applications either choose to store at least some of the authentication information outside of the URL (in a cookie for instance), or process all the user-originated URLs included in the mail to make them go through a redirection that sanitizes the HTTP REFERER.

The moral of the story is: if you’re going to use sessions to store sensitive information, and you link to external sites within your own site, you’re best off using only cookie-based browser ids.

21.8.2. Browser Id (Non-)Expiration

A browser id will last as long as the browser id cookie persists on the client, or for as long as someone uses a bookmarked URL with a browser id encoded into it.

The same id will be obtained by a browser id manager on every visit by that client to a site - potentially indefinitely depending on which conveyance mechanisms you use and your configuration for cookie persistence.

The transient object container implements a policy for data object expiration. If asked for a session data object related to a particular browser id which has been expired by a session data container, a session data manager will a return a new session data object.

21.8.3. Session Data Object Expiration Considerations

Session data objects expire after the period between their last access and “now” exceeds the timeout value provided to the session data container which hold them. No special action need be taken to expire session data objects.

However, because Zope has no scheduling facility, the sessioning machinery depends on the continual exercising of itself to expire session data objects. If the sessioning machinery is not exercised continually, it’s possible that session data objects will stick around longer than the time specified by their data container timeout value. For example:

  • User A exercises application machinery that generates a session data object. It is inserted into a session data container which advertises a 20-minute timeout.
  • User A “leaves” the site.
  • 40 minutes go by with no visitors to the site.
  • User B visits 60 minutes after User A first generated his session data object, and exercises app code which hands out session data objects. - User A’s session is expired at this point, 40 minutes “late”.

As shown, the time between a session’s onAdd and onDelete is not by any means guaranteed to be anywhere close to the amount of time represented by the timeout value of its session data container. The timeout value of the data container should only be considered a “target” value.

Additionally, even when continually exercised, the sessioning machinery has a built in error potential of roughly 20% with respect to expiration of session data objects to reduce resource requirements. This means, for example, if a transient object container timeout is set to 20 minutes, data objects added to it may expire anywhere between 16 and 24 minutes after they are last accessed.

21.8.4. Sessioning and Transactions

Sessions interact with Zope’s transaction system. If a transaction is aborted, the changes made to session data objects during the transaction will be rolled back.

21.8.5. Mutable Data Stored Within Session Data Objects

If you mutate an object stored as a value within a session data object, you’ll need to notify the sessioning machinery that the object has changed by calling set or __setitem__ on the session data object with the new object value. For example:

session = self.REQUEST.SESSION
foo = {}
foo['before'] = 1
session.set('foo', foo)

# mutate the dictionary

foo['after'] = 1

# performing session.get('foo') 10 minutes from now will likely
# return a dict with only 'before' within!

You’ll need to treat mutable objects immutably, instead. Here’s an example that makes the intent of the last example work by doing so:

session = self.REQUEST.SESSION
foo = {}
foo['before'] = 1
session.set('foo', foo)

# mutate the dictionary
foo['after'] = 1

# tickle the persistence machinery
session.set('foo', foo)

An easy-to-remember rule for manipulating data objects in session storage: always explicitly place an object back into session storage whenever you change it. For further reference, see the “Persistent Components” chapter of the Zope Developer’s Guide at http://www.zope.org/Documentation/ZDG.

21.8.6. session.invalidate() and stale references to the session object

This Python Script illustrates an issue with using the invalidate method of a session object:

request = container.REQUEST
session = request.SESSION
session.set('foo','bar')
session.invalidate()
# ............................................
# we expect that invalidate() flushes the session
# ............................................
print 'after invalidate()',session.get('foo') # 'bar' still prints!

# ............................................
# Even this isn't enough
# ............................................
session = request.SESSION
print 'after invalidate()', session.get('foo') # 'bar' still prints!

# ............................................
# Here's the work-around
# ............................................
session = context.session_data_manager.getSessionData()
print 'after getSessionData', session.get('foo') # 'bar' is GONE which is good
return printed

In short, after using the invalidate method of a session object, the next reference to the session object you obtain should be through “getSessionData” rather than REQUEST.SESSION.

21.8.7. Session Data Object Keys

A session data object has essentially the same restrictions as a Python dictionary. Keys within a session data object must be hashable (strings, tuples, and other immutable basic Python types; or instances which have a __hash__ method). This is a requirement of all Python objects that are to be used as keys to a dictionary. For more information, see the associated Python documentation at http://www.python.org/doc/current/ref/types.html (Mappings -> Dictionaries).

21.8.8. In-Memory Session Data Container RAM Utilization

Each session data object which is added to an “internal” (RAM-based) session data container will consume at least 2K of RAM.

21.8.9. Mounted Transient Object Container Caveats

Mounted TOC’s do not acquire parameter’s from zope.conf (which is the case for the default transient object container). Therefore you set parameters directly on the object in ZMI.

Persistent objects which have references to other persistent objects in the same database cannot be committed into a mounted database because the ZODB does not currently handle cross-database references.

Transient object containers which are sometimes stored in a “mounted” database (as is currently the case for the default

/temp_folder/session_data

TOC. If you use a transient object container that is accessed via a “mounted” database, you cannot store persistent object instances which have already been stored in the “main” database as keys or values in a session data object. If you try to do so, it is likely that an

InvalidObjectReference

exception will be raised by the ZODB when the transaction involving the object attempts to commit. As a result, the transaction will fail and the session data object (and other objects touched in the same transaction) will fail to be committed to storage.

If your “main” ZODB database is backed by a nonundoing storage, you can avoid this condition by storing session data objects in an transient object container instantiated within the “main” ZODB database. If this is not an option, you should ensure that objects you store as values or keys in a session data object held in a mounted session data container are instantiated “from scratch” (via their constructors), as opposed to being “pulled out” of the main ZODB.

21.8.10. Conflict Errors

This session tracking software stores all session state in Zope’s ZODB. The ZODB uses an optimistic concurrency strategy to maintain transactional integrity for simultaneous writes. This means that if two objects in the ZODB are changed at the same time by two different connections (site visitors) that a “ConflictError” will be raised. Zope retries requests that raise a ConflictError at most 3 times. If your site is extremely busy, you may notice ConflictErrors in the Zope debug log (or they may be printed to the console from which you run Zope). An example of one of these errors is as follows:

2009-01-16T04:26:58 INFO(0) Z2 CONFLICT Competing writes at, /getData
Traceback (innermost last):
File /zope/lib/python/ZPublisher/Publish.py, line 175, in publish
File /zope/lib/python/Zope/__init__.py, line 235, in commit
File /zope/lib/python/ZODB/Transaction.py, line 251, in commit
File /zope/lib/python/ZODB/Connection.py, line 268, in commit
ConflictError: '\000\000\000\000\000\000\002/'

Errors like this in your debug log (or console if you’ve not redirected debug logging to a file) are normal to an extent. If your site is undergoing heavy load, you can expect to see a ConflictError perhaps every 20 to 30 seconds. The requests which experience conflict errors will be retried automatically by Zope, and the end user should never see one. Generally, session data objects attempt to provide application-level conflict resolution to reduce the limitations imposed by conflict errors NOTE: to take advantage of this feature, you must store your transient object container in a storage such as FileStorage or TemporaryStorage which supports application-level conflict resolution.