We probably need a general mechanism to handle sessions:
What are the reasons to keep track of a session? I opt for keeping it stateless unless there are compelling reasons otherwise.
I am not thinking to a session ID, but rather to a set of varname=value pairs.
You just can't include a plain text 'USERNAME' in the URI without some form of authentication. Given that it is either no better than the standard browser user/password popup, or equalavent to some form of session management. -- NicholasLee - 14 Sep 2000
I agree, the USERNAME example is a little silly. (But this way I can avoid the user is disoriented when has already edited some topic and then reads other topics and finds that his preferences are not applied ...) BasicAuthentication remembers the user name only for authenticated pages. What I would like is:
Problem is as soon as you start tracking the user, ie create state, you require a persistent mechanism. This is because http is a stateless protocol. So (*) above wont work without a storage mechanism. Note since a TWiki device is the only thing likely to parse a TWiki URI it is possible to create unique TWiki URIs with embedded session keys. Just strip the sesion key before it gets passed to the content builder. -- NicholasLee - 13 Feb 2001
- by cookies? (but we raise the browser requirements)
- by url rewriting
- we can handle variables kept along the user session
- We could use a hidden field that is post/get at each click
- we must convert all links to submit buttons
- we can use javascript to change field's stored values
- we could just rewrite all internal links
- I am not sure we can change the values at will
What are the reasons to keep track of a session? I opt for keeping it stateless unless there are compelling reasons otherwise.
- Cookies do not always work (not supported or disabled) and are controversial. It would be OK if the funtionality would downgrade gracefully for non cookie browsers.
- Including a session ID in the URL is simple to implement, but has the disadvantage that a URL is not identifying a TWiki page uniquely anymore. At work it happens many times that a TWiki URL is sent in an email.
I am not thinking to a session ID, but rather to a set of varname=value pairs.
- the url mantains its meaning (you can send it, you can bookmark it)
- TWiki can do variable substitution also on the variables so defined
- A user, instead that edit his/her topic to change her settings, could just flip some choice/radio/combo box and submit a GET action in a form.
view and sets the preferred web color to #00FF00:
http://.../view/Codev/SessionVariables?WEBBGCOLOR=#00FF00&USERNAME=AndreaSterbiniPossible (easy) Implementation
- For all GET arguments add the name/value pair to the user's preferences
- Change the sub for internal links to add the parameters to the url
- This would solve the WhoIsTheRemoteUserInView problem (once the user is authenticated once).
- To be safe we must enforce SecurityAndVariableOverriding
You just can't include a plain text 'USERNAME' in the URI without some form of authentication. Given that it is either no better than the standard browser user/password popup, or equalavent to some form of session management. -- NicholasLee - 14 Sep 2000
I agree, the USERNAME example is a little silly. (But this way I can avoid the user is disoriented when has already edited some topic and then reads other topics and finds that his preferences are not applied ...) BasicAuthentication remembers the user name only for authenticated pages. What I would like is:
- until I view pages only I am considered a guest,
- from the moment I identify myself to the system the system remembers my name and applies my preferences even for (non authenticated) view
- for security I am not using at all this remembered username for authenticated pages, (moreover, in authenticated pages the system knows the RemoteUser)
- the implementation is cleaner
- the user has a simple model of how to write a page (just use %VAR%)
- the system must not store/handle any session ID, because all the information is delivered in the URI (so, no session ID generation, storage, expiration problems)
- I would like to adjust the edit field width at runtime without editing my personal preferences
- suppose the
edittemplate has a field named EDITWIDTH - I can write in this field my desired width
- this number is read by
preview, then written in the URI - from now on it is used when edit a new topic (*)
- suppose the
Problem is as soon as you start tracking the user, ie create state, you require a persistent mechanism. This is because http is a stateless protocol. So (*) above wont work without a storage mechanism. Note since a TWiki device is the only thing likely to parse a TWiki URI it is possible to create unique TWiki URIs with embedded session keys. Just strip the sesion key before it gets passed to the content builder. -- NicholasLee - 13 Feb 2001
Topic revision: r7 - 2001-11-01 - MikeMannix
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.