[Web-SIG] Session interface

Mike Orr mso at oz.net
Wed Aug 17 07:33:10 CEST 2005

Mike Orr wrote:

>Regarding sessionless persistence, that reminds me of a disagreement I 
>had with Titus in designing session2.  Quixote provides Session.user 
>default None, but doesn't define what other values it can have.  I put a 
>full-fledged User object with username/group/permission info.  Titus 
>puts a string name and stores everything else in his application 
>database.  So his *SessionStore classes put the name in a VARCHAR column 
>and didn't save the rest of the session data.  I argued that "most 
>people will have a User object, and they'll expect the entire Session to 
>be pickled because that's what PHP/Perl do."  He relented, so the 
>current *SessionStores can be used either way.
>Perhaps applications should store all session data directly, keyed by 
>session ID (and perhaps "username"), rather than using pickled 
>Sessions.  That would be a good idea for a parallel project.  I'm not 
>sure how relevant that would be to this API except to share "cookie 
>code".  This API + implementations are required in any case, both 
>because "most users" will not consider Python if it doesn't have "robust 
>session handling", and a common library would allow frameworks to use it 
>rather than reinventing the wheel incompatibly.  This is true regardless 
>of the merits of sessions.

Another thing about sessionless persistence.  I find sessions useful for 
storing miscellaneous data that would otherwise be sent to the browser 
and back.  Usually it's not a question of byte size but rather: (A) I 
don't want the user to see the data directly -- it contains more 
information about the application/server structure than I care to 
divulve, and (B) I don't want the user manipulating the data and sending 
back something invalid or in the wrong state -- which I would then have 
to error-check.

I could store the data in my relational database, but then I'd have to 
make a half-dozen tables for:

    .user       : a User instance.
    .search   : the latest search results (list of record IDs), the last 
        viewed (positive int), and the criteria to redo the search or
        repopulate the search form (dict).
    .message:  a message to display at the next request.
    ... other stuff ??

So I guess sessions are a lazy way to have object-database features in a 
relational-database application.  At least for data that lasts longer 
than a request but shorter than a session timeout.

-- Mike Orr <mso at oz.net>

More information about the Web-SIG mailing list