This file is indexed.

/usr/share/pyshared/zope/session/design.txt is in python-zope.session 3.9.5-0ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
Sessions
========

Sessions provide a way to temporarily associate information with a
client without requiring the authentication of a principal.  We
associate an identifier with a particular client. Whenever we get a
request from that client, we compute the identifier and use the
identifier to look up associated information, which is stored on the
server.

A major disadvantage of sessions is that they require management of
information on the server. This can have major implications for
scalability.  It is possible for a framework to make use of session
data very easy for the developer.  This is great if scalability is not
an issue, otherwise, it is a booby trap.

Design Issues
-------------

Sessions introduce a number of issues to be considered:

- Clients have to be identified. A number of approaches are possible,
  including:

  o Using HTTP cookies. The application assigns a client identifier,
    which is stored in a cookie.  This technique is the most
    straightforward, but can be defeated if the client does not
    support HTTP cookies (usually because the feature has been
    disabled).

  o Using URLs.  The application assigns a client identifier, which is
    stored in the URL.  This makes URLs a bit uglier and requires some
    care. If people copy URLs and send them to others, then you could
    end up with multiple clients with the same session
    identifier. There are a number of ways to reduce the risk of
    accidental reuse of session identifiers:

    - Embed the client IP address in the identifier

    - Expire the identifier

  o Use hidden form variables.  This complicates applications. It
    requires all requests to be POST requests and requires the
    maintenance of the hidden variables.

  o Use the client IP address

    This doesn't work very well, because an IP address may be shared by
    many clients.

- Data storage

  Data can be simply stored in the object database. This provides lots
  of flexibility. You can store pretty much anything you want as long
  as it is persistent. You get the full benefit of the object database,
  such as transactions, transparency, clustering, and so on.  Using
  the object database is especially useful when:

  - Writes are infrequent

  - Data are complex

  If writes are frequent, then the object database introduces
  scalability problems.  Really, any transactional database is likely
  to introduce problems with frequent writes. If you are tempted to
  update session data on every request, think very hard about it.  You
  are creating a scalability problem.

  If you know that scalability is not (and never will be) an issue,
  you can just use the object database.

  If you have client data that needs to be updated often (as in every
  request), consider storing the data on the client.  (Like all data
  received from a client, it may be tainted and, in most instances,
  should not be trusted. Sensitive information that the user should
  not see should likewise not be stored on the client, unless
  encrypted with a key the client has no access to.)  If you can't
  store it on the client, then consider some other storage mechanism,
  like a fast database, possibly without transaction support.

  You may be tempted to store session data in memory for speed.  This
  doesn't turn out to work very well.  If you need scalability, then
  you need to be able to use an application-server cluster and storage
  of session data in memory defeats that.  You can use
  "server-affinity" to assure that requests from a client always go
  back to the same server, but not all load balancers support server
  affinity, and, for those that do, enabling server affinity tends to
  defeat load balancing.

- Session expiration

  You may wish to ensure that sessions terminate after some period of
  time. This may be for security reasons, or to avoid accidental
  sharing of a session among multiple clients.  The policy might be
  expressed in terms of total session time, or maximum inactive time,
  or some combination.

  There are a number of ways to approach this.  You can expire client
  ids. You can expire session data.

- Data expiration

  Because HTTP is a stateless protocol, you can't tell whether a user
  is thinking about a task or has simply stopped working on it.  Some
  means is needed to free server session storage that is no-longer needed.

  The simplest strategy is to never remove data. This strategy has
  some obvious disadvantages.  Other strategies can be viewed as
  optimizations of the basic strategy.  It is important to realize that
  a data expiration strategy can be informed by, but need not be
  constrained by a session-expiration strategy.