/usr/share/pyshared/zope.session-3.9.5.egg-info/PKG-INFO is in python-zope.session 3.9.5-0ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 | Metadata-Version: 1.1
Name: zope.session
Version: 3.9.5
Summary: Client identification and sessions for Zope
Home-page: http://pypi.python.org/pypi/zope.session
Author: Zope Foundation and Contributors
Author-email: zope-dev@zope.org
License: ZPL 2.1
Description: This package provides interfaces for client identification and session
support and their implementations for zope.publisher's request objects.
.. contents::
Sessions
========
Sessions provide a way to temporarily associate information with a
client without requiring the authentication of a principal. We
associate an identifier with a particular client. Whenever we get a
request from that client, we compute the identifier and use the
identifier to look up associated information, which is stored on the
server.
A major disadvantage of sessions is that they require management of
information on the server. This can have major implications for
scalability. It is possible for a framework to make use of session
data very easy for the developer. This is great if scalability is not
an issue, otherwise, it is a booby trap.
Design Issues
-------------
Sessions introduce a number of issues to be considered:
- Clients have to be identified. A number of approaches are possible,
including:
o Using HTTP cookies. The application assigns a client identifier,
which is stored in a cookie. This technique is the most
straightforward, but can be defeated if the client does not
support HTTP cookies (usually because the feature has been
disabled).
o Using URLs. The application assigns a client identifier, which is
stored in the URL. This makes URLs a bit uglier and requires some
care. If people copy URLs and send them to others, then you could
end up with multiple clients with the same session
identifier. There are a number of ways to reduce the risk of
accidental reuse of session identifiers:
- Embed the client IP address in the identifier
- Expire the identifier
o Use hidden form variables. This complicates applications. It
requires all requests to be POST requests and requires the
maintenance of the hidden variables.
o Use the client IP address
This doesn't work very well, because an IP address may be shared by
many clients.
- Data storage
Data can be simply stored in the object database. This provides lots
of flexibility. You can store pretty much anything you want as long
as it is persistent. You get the full benefit of the object database,
such as transactions, transparency, clustering, and so on. Using
the object database is especially useful when:
- Writes are infrequent
- Data are complex
If writes are frequent, then the object database introduces
scalability problems. Really, any transactional database is likely
to introduce problems with frequent writes. If you are tempted to
update session data on every request, think very hard about it. You
are creating a scalability problem.
If you know that scalability is not (and never will be) an issue,
you can just use the object database.
If you have client data that needs to be updated often (as in every
request), consider storing the data on the client. (Like all data
received from a client, it may be tainted and, in most instances,
should not be trusted. Sensitive information that the user should
not see should likewise not be stored on the client, unless
encrypted with a key the client has no access to.) If you can't
store it on the client, then consider some other storage mechanism,
like a fast database, possibly without transaction support.
You may be tempted to store session data in memory for speed. This
doesn't turn out to work very well. If you need scalability, then
you need to be able to use an application-server cluster and storage
of session data in memory defeats that. You can use
"server-affinity" to assure that requests from a client always go
back to the same server, but not all load balancers support server
affinity, and, for those that do, enabling server affinity tends to
defeat load balancing.
- Session expiration
You may wish to ensure that sessions terminate after some period of
time. This may be for security reasons, or to avoid accidental
sharing of a session among multiple clients. The policy might be
expressed in terms of total session time, or maximum inactive time,
or some combination.
There are a number of ways to approach this. You can expire client
ids. You can expire session data.
- Data expiration
Because HTTP is a stateless protocol, you can't tell whether a user
is thinking about a task or has simply stopped working on it. Some
means is needed to free server session storage that is no-longer needed.
The simplest strategy is to never remove data. This strategy has
some obvious disadvantages. Other strategies can be viewed as
optimizations of the basic strategy. It is important to realize that
a data expiration strategy can be informed by, but need not be
constrained by a session-expiration strategy.
Zope3 Session Implementation
============================
Overview
--------
.. CAUTION::
Session data is maintained on the server. This gives a security
advantage in that we can assume that a client has not tampered with
the data. However, this can have major implications for scalability
as modifying session data too frequently can put a significant load
on servers and in extreme situations render your site unusable.
Developers should keep this in mind when writing code or risk
problems when their application is run in a production environment.
Applications requiring write-intensive session implementations (such
as page counters) should consider using cookies or specialized
session implementations.
Sessions allow us to fake state over a stateless protocol - HTTP.
We do this by having a unique identifier stored across multiple
HTTP requests, be it a cookie or some id mangled into the URL.
The `IClientIdManager` Utility provides this unique id. It is
responsible for propagating this id so that future requests from
the client get the same id (eg. by setting an HTTP cookie). This
utility is used when we adapt the request to the unique client id:
>>> client_id = IClientId(request)
The `ISession` adapter gives us a mapping that can be used to store
and retrieve session data. A unique key (the package id) is used
to avoid namespace clashes:
>>> pkg_id = 'products.foo'
>>> session = ISession(request)[pkg_id]
>>> session['color'] = 'red'
>>> session2 = ISession(request)['products.bar']
>>> session2['color'] = 'blue'
>>> session['color']
'red'
>>> session2['color']
'blue'
Data Storage
------------
The actual data is stored in an `ISessionDataContainer` utility.
`ISession` chooses which `ISessionDataContainer` should be used by
looking up as a named utility using the package id. This allows
the site administrator to configure where the session data is actually
stored by adding a registration for desired `ISessionDataContainer`
with the correct name.
>>> import zope.component
>>> sdc = zope.component.getUtility(ISessionDataContainer, pkg_id)
>>> sdc[client_id][pkg_id] is session
True
>>> sdc[client_id][pkg_id]['color']
'red'
If no `ISessionDataContainer` utility can be located by name using the
package id, then the unnamed `ISessionDataContainer` utility is used as
a fallback. An unnamed `ISessionDataContainer` is automatically created
for you, which may replaced with a different implementation if desired.
>>> ISession(request)['unknown'] \
... is zope.component.getUtility(ISessionDataContainer)[client_id]\
... ['unknown']
True
The `ISessionDataContainer` contains `ISessionData` objects, and
`ISessionData` objects in turn contain `ISessionPkgData` objects. You
should never need to know this unless you are writing administrative
views for the session machinery.
>>> ISessionData.providedBy(sdc[client_id])
True
>>> ISessionPkgData.providedBy(sdc[client_id][pkg_id])
True
The `ISessionDataContainer` is responsible for expiring session data.
The expiry time can be configured by settings its `timeout` attribute.
>>> sdc.timeout = 1200 # 1200 seconds or 20 minutes
Restrictions
------------
Data stored in the session must be persistent or picklable.
>>> session['oops'] = open(__file__)
>>> import transaction
>>> transaction.commit()
Traceback (most recent call last):
[...]
TypeError: can't pickle file objects
Clean up:
>>> transaction.abort()
Page Templates
--------------
Session data may be accessed in page template documents using TALES::
<span tal:content="request/session:products.foo/color | default">
green
</span>
or::
<div tal:define="session request/session:products.foo">
<script type="text/server-python">
try:
session['count'] += 1
except KeyError:
session['count'] = 1
</script>
<span tal:content="session/count" />
</div>
Session Timeout
---------------
Sessions have a timeout (defaulting to an hour, in seconds).
>>> import zope.session.session
>>> data_container = zope.session.session.PersistentSessionDataContainer()
>>> data_container.timeout
3600
We need to keep up with when the session was last used (to know when it needs
to be expired), but it would be too resource-intensive to write the last access
time every, single time the session data is touched. The session machinery
compromises by only recording the last access time periodically. That period
is called the "resolution". That also means that if the last-access-time +
the-resolution < now, then the session is considered to have timed out.
The default resolution is 10 minutes (600 seconds), meaning that a users
session will actually time out sometime between 50 and 60 minutes.
>>> data_container.resolution
600
CHANGES
=======
3.9.5 (2011-08-11)
------------------
- LP #824355: enable support for HttpOnly cookies.
- Fix a bug in zope.session.session.Session that would trigger an
infinite loop if either iteration or a containment test were
attempted on an instance.
3.9.4 (2011-03-07)
------------------
- Added an explicit `provides` to the IClientId adapter declaration in
adapter.zcml.
- Added option to disable implicit sweeps in
PersistentSessionDataContainer.
3.9.3 (2010-09-25)
------------------
- Added test extra to declare test dependency on ``zope.testing``.
- Using Python's ``doctest`` module instead of depreacted
``zope.testing.doctest``.
3.9.2 (2009-11-23)
------------------
- Fix Python 2.4 hmac compatibility issue by only using hashlib in
Python versions 2.5 and above.
- Use the CookieClientIdManager's secret as the hmac key instead of the
message when constructing and verifying client ids.
- Make it possible to construct CookieClientIdManager passing cookie namespace
and/or secret as constructor's arguments.
- Use zope.schema.fieldproperty.FieldProperty for "namespace" attribute of
CookieClientIdManager, just like for other attributes in its interface.
Also, make ICookieClientIdManager's "namespace" field an ASCIILine, so
it accepts only non-unicode strings for cookie names.
3.9.1 (2009-04-20)
------------------
- Restore compatibility with Python 2.4.
3.9.0 (2009-03-19)
------------------
- Don't raise deprecation warnings on Python 2.6.
- Drop dependency on ``zope.annotation``. Instead, we make classes implement
`IAttributeAnnotatable` in ZCML configuration, only if ``zope.annotation``
is available. If your code relies on annotatable `CookieClientIdManager`
and `PersistentSessionDataContainer` and you don't include the zcml classes
configuration of this package, you'll need to use `classImplements` function
from ``zope.interface`` to make those classes implement `IAttributeAnnotatable`
again.
- Drop dependency on zope.app.http, use standard date formatting function
from the ``email.utils`` module.
- Zope 3 application bootstrapping code for session utilities was moved into
zope.app.appsetup package, thus drop dependency on zope.app.appsetup in this
package.
- Drop testing dependencies, as we don't need anything behind zope.testing and
previous dependencies was simply migrated from zope.app.session before.
- Remove zpkg files and zcml slugs.
- Update package's description a bit.
3.8.1 (2009-02-23)
------------------
- Add an ability to set cookie effective domain for CookieClientIdManager.
This is useful for simple cases when you have your application set up on
one domain and you want your identification cookie be active for subdomains.
- Python 2.6 compatibility change. Encode strings before calling hmac.new()
as the function no longer accepts the unicode() type.
3.8.0 (2008-12-31)
------------------
- Add missing test dependency on ``zope.site`` and
``zope.app.publication``.
3.7.1 (2008-12-30)
------------------
- Specify i18n_domain for titles in apidoc.zcml
- ZODB 3.9 no longer contains
ZODB.utils.ConflictResolvingMappingStorage, fixed tests, so they
work both with ZODB 3.8 and 3.9.
3.7.0 (2008-10-03)
------------------
New features:
- Added a 'postOnly' option on CookieClientIdManagers to only allow setting
the client id cookie on POST requests. This is to further reduce risk from
broken caches handing the same client id out to multiple users. (Of
course, it doesn't help if caches are broken enough to cache POSTs.)
3.6.0 (2008-08-12)
------------------
New features:
- Added a 'secure' option on CookieClientIdManagers to cause the secure
set-cookie option to be used, which tells the browser not to send the
cookie over http.
This provides enhanced security for ssl-only applications.
- Only set the client-id cookie if it isn't already set and try to
prevent the header from being cached. This is to minimize risk from
broken caches handing the same client id out to multiple users.
3.5.2 (2008-06-12)
------------------
- Remove ConflictErrors caused on SessionData caused by setting
``lastAccessTime``.
3.5.1 (2008-04-30)
------------------
- Split up the ZCML to make it possible to re-use more reasonably.
3.5.0 (2008-03-11)
------------------
- Change the default session "resolution" to a sane value and document/test it.
3.4.1 (2007-09-25)
------------------
- Fixed some meta data and switch to tgz release.
3.4.0 (2007-09-25)
------------------
- Initial release
- Moved parts from ``zope.app.session`` to this packages
Keywords: zope3 session
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Zope Public License
Classifier: Programming Language :: Python
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Framework :: Zope3
|