# HG changeset patch # User paulb # Date 1114893111 0 # Node ID 0643717492e2527e1bda1fea0f9c004ccc0033d7 # Parent 32b0191a49e41231ce3a3380e7ec6abbb9df8797 [project @ 2005-04-30 20:31:51 by paulb] Introduced sessions documentation. Improved other documentation in minor ways. Removed the text documentation about sessions, since it is now included in the introductory documentation. Added users documentation by taking some material from the authenticators document. diff -r 32b0191a49e4 -r 0643717492e2 docs/SESSION.txt --- a/docs/SESSION.txt Sat Apr 30 00:22:03 2005 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,27 +0,0 @@ -Session Support in WebStack ---------------------------- - -Various frameworks do not support sessions. In order to provide primitive -support for sessions within WebStack upon such frameworks, the -WebStack.Helpers.Session module is used to provide a simple file-based session -store. It is necessary to create a directory called WebStack-sessions in a -particular location for the session store to function, and the location depends -on the framework as summarised in the following table. - -Framework Location ---------- -------- -BaseHTTPRequestHandler The directory where the server is run. -CGI The directory where the handler resides. -mod_python The server root (eg. /usr/local/apache2). -Twisted The directory where the server is run. - -Note that the WebStack-sessions directory must have the appropriate ownership -and privileges necessary for the server/framework to write session files into -it. - -Unsupported Frameworks and Framework Issues -------------------------------------------- - -Webware 0.8.1 has problems creating sessions and is therefore not supported. -Webware releases later than 0.8.1 (at least until the 2004-02-06 CVS snapshot -used for testing) do not support session detection or expiry correctly. diff -r 32b0191a49e4 -r 0643717492e2 docs/authenticators.html --- a/docs/authenticators.html Sat Apr 30 00:22:03 2005 +0000 +++ b/docs/authenticators.html Sat Apr 30 20:31:51 2005 +0000 @@ -1,101 +1,69 @@ - - + Application-Wide Authenticators - + -

Application-Wide Authenticators

-

Authenticators are special classes which can, in conjunction with -mechanisms in the server environment, judge whether a user of an application +mechanisms in the server environment, judge whether a user of an +application is recognised or not. The process of using authenticators is as follows:

    -
  1. Set up authentication in the server environment or framework in which - the application is to be deployed.
    2. +
  2. Set up authentication in the server environment or framework in +which the application is to be deployed.
  3. Introduce an authenticator class in the application.
-

Setting Up Authentication

- -

The exact details of configuring authentication mechanisms in each server -environment may vary substantially. For example, Apache environments require -that Auth directives be specified in the Apache configuration -files (see docs/ModPython/NOTES.txt); in Zope environments, -protected folders can be defined to hold the application when deployed (see +

The exact details of configuring authentication mechanisms in each +server +environment may vary substantially. For example, Apache environments +require +that Auth directives be specified in the Apache +configuration +files (see docs/ModPython/NOTES.txt); in Zope +environments, +protected folders can be defined to hold the application when deployed +(see docs/Zope/NOTES.txt).

-

Defining an Authenticator

- -

An authenticator must be defined within your application in order to make +

An authenticator must be defined within your application in order to +make decisions about users who have presented their credentials; this -authenticator will respond with a decision when prompted by the server or -underlying framework, either allowing or denying access for the user whose +authenticator will respond with a decision when prompted by the server +or +underlying framework, either allowing or denying access for the user +whose identity has been presented to the server/framework.

-

The code for an authenticator usually looks like this:

-
class MyAuthenticator:
-
-    "This is an authenticator - something which decides whether a user is known to the application."
-
-    def authenticate(self, trans):
-        user = trans.get_user()
-        [Make a decision about the validity of the user.]
-        [Return a true value if the user is allowed to access the application.]
-        [Return a false value if the user is not recognised or allowed to access the application.]
-
-    def get_auth_type(self):
-        "This method returns 'Basic' in most deployments."
-        return "Basic"
-
-    def get_realm(self):
-        "This method returns something to distinguish this authentication mechanism from others."
-        return "MyRealm"
- -

In this mechanism, authenticators rely on authentication information from -the server/framework and have a "global" effect on access to the application. -However, it is always possible to test the user identity later on and to -change the way an application behaves accordingly.

- -
-

WebStack API - User Identity

- -

Transaction objects have the following methods for inspecting and -redefining the identity of users:

-
-
get_user
-
This gets the name of the user attempting to access the - application.
-
set_user
-
This sets the name of the user, thus affecting subsequent calls to - get_user, allowing certain parts of an application to view - users according to other criteria than their basic username - for - example, one might use set_user to redefine each user's - identity in terms of the role that user may have in an application.
-
-
- +
class MyAuthenticator:

    "This is an authenticator - something which decides whether a user is known to the application."

    def authenticate(self, trans):
        user = trans.get_user()
        [Make a decision about the validity of the user.]
        [Return a true value if the user is allowed to access the application.]
        [Return a false value if the user is not recognised or allowed to access the application.]

    def get_auth_type(self):
        "This method returns 'Basic' in most deployments."
        return "Basic"

    def get_realm(self):
        "This method returns something to distinguish this authentication mechanism from others."
        return "MyRealm"
+

In this mechanism, authenticators rely on authentication information +from +the server environment and have a "global" effect on access to the +application. +However, it is always possible to test the user identity later on and +to +change the way an application behaves accordingly - see "Users and Authentication" for more information.

Introducing an Authenticator

-

Authenticator objects are created in the adapter code - see "Writing Adapters" for more information.

- + href="writing-adapters.html">"Writing Adapters" for more +information.

Anonymous Access

- -

With application-wide authenticators, anonymous access to resources and -applications can be difficult to permit alongside access by specific users, +

With application-wide authenticators, anonymous access to resources +and +applications can be difficult to permit alongside access by specific +users, mostly because servers and frameworks which employ HTTP authentication schemes do so globally for a given application.

-

Logout Functions

-

With application-wide authenticators, a logout function may not be available if the server/framework has been configured to use HTTP -authentication schemes, mainly because no logout mechanism generally exists +authentication schemes, mainly because no logout mechanism generally +exists for such schemes.

diff -r 32b0191a49e4 -r 0643717492e2 docs/cookies.html --- a/docs/cookies.html Sat Apr 30 00:22:03 2005 +0000 +++ b/docs/cookies.html Sat Apr 30 20:31:51 2005 +0000 @@ -19,9 +19,17 @@ stored in a cookie and the type of that information (it must be a plain Python string), the mechanism is useful for identifying users or remembering simple things about the operations that the user has been -performing. Some applications use cookies to remember the state -of their user interfaces, such as which parts of a navigational -menu have been opened by the user, for example.

+performing. Some uses include:

+

WebStack API - Using Cookies

The Application Design Considerations

When writing an application, we must try and cover the three activities mentioned in our overview of -what a simple application looks like:

+what a simple resource looks like:

  1. Examine the transaction, decide what the user wants to do.
  2. Perform some kind of action with the information supplied.
    3. diff -r 32b0191a49e4 -r 0643717492e2 docs/encodings.html --- a/docs/encodings.html Sat Apr 30 00:22:03 2005 +0000 +++ b/docs/encodings.html Sat Apr 30 20:31:51 2005 +0000 @@ -12,10 +12,11 @@ Python's Unicode objects as much as possible. However, there are a number of places where plain Python strings can be involved:

    When Web pages (and other types of content) are sent to and from users of your application, the text will be in some kind of character diff -r 32b0191a49e4 -r 0643717492e2 docs/login-redirect.html --- a/docs/login-redirect.html Sat Apr 30 00:22:03 2005 +0000 +++ b/docs/login-redirect.html Sat Apr 30 20:31:51 2005 +0000 @@ -1,219 +1,198 @@ - - + LoginRedirect and Login Modules - + -

    LoginRedirect and Login Modules

    - -

    The LoginRedirect and Login modules provide a +

    The LoginRedirect and Login modules +provide a "single sign-on" environment for WebStack applications. Unlike the authenticator-only approach, each application or part of an application utilising this mechanism must be wrapped inside a -LoginRedirectResource object which determines whether a given +LoginRedirectResource object which determines whether a +given transaction contains information identifying the application's user.

    -

    How the Modules Work

    - -

    When a request arrives in the application, the following things happen:

    +

    When a request arrives in the application, the following things +happen:

      -
    1. The LoginRedirectResource examines the transaction and - attempts to find out whether it identifies a user.
      2. -
    2. Should sufficient information be present in the transaction, the user - is allowed to access the application and is identified in the normal way - (ie. the get_user method on the transaction object).
      3. -
    3. Otherwise, a redirect occurs to a login screen provided by a - LoginResource object which then presents a login form to be - completed by the user.
      4. -
    4. The LoginResource object then receives the completed form - information and verifies the identity of the user, testing the supplied - credentials against the credentials database specified in the deployment - of the resource.
      5. -
    5. Upon successful authentication, the user is redirected back to the - application, guarded by LoginRedirectResource which should - let the user gain access.
      6. +
    6. The LoginRedirectResource examines the transaction +and attempts to find out whether it identifies a user.
      7. +
    7. Should sufficient information be present in the transaction, the +user is allowed to access the application and is identified in the +normal way (ie. the get_user method on the transaction +object).
      8. +
    8. Otherwise, a redirect occurs to a login screen provided by a LoginResource +object which then presents a login form to be completed by the user.
      9. +
    9. The LoginResource object then receives the +completed form information and verifies the identity of the user, +testing the supplied credentials against the credentials database +specified in the deployment of the resource.
      10. +
    10. Upon successful authentication, the user is redirected back to +the application, guarded by LoginRedirectResource which +should let the user gain access.
    -

    Introducing LoginRedirectResource

    - -

    The easiest way of introducing LoginRedirectResource objects +

    The easiest way of introducing LoginRedirectResource +objects is to do so in the adapter code, as described in "Writing Adapters". The most significant + href="writing-adapters.html">"Writing Adapters". The most +significant difference between deploying normal resources and -LoginRedirectResource objects is the special way in which such -objects are initialised and that they themselves contain the actual resources +LoginRedirectResource objects is the special way in which +such +objects are initialised and that they themselves contain the actual +resources of the application which provide the real functionality.

    - -

    Here is what the deployment of LoginRedirectResource objects +

    Here is what the deployment of LoginRedirectResource +objects often looks like:

    -
    from WebStack.Resources.LoginRedirect import LoginRedirectResource, LoginRedirectAuthenticator
-
-deploy(
-    LoginRedirectResource(
-        login_url="http://localhost:8081",
-        app_url="http://localhost:8080",
-        resource=[some resource object which provides the real application behaviour],
-        authenticator=LoginRedirectAuthenticator(secret_key="horses"),
-        anonymous_parameter_name="anonymous",
-        logout_parameter_name="logout"
-    )
-)
    - -

    Certain parts of the resource are configurable, according to which other +

    from WebStack.Resources.LoginRedirect import LoginRedirectResource, LoginRedirectAuthenticator

    deploy(
        LoginRedirectResource(
            login_url="http://localhost:8081",
            app_url="http://localhost:8080",
            resource=[some resource object which provides the real application behaviour],
            authenticator=LoginRedirectAuthenticator(secret_key="horses"),
            anonymous_parameter_name="anonymous",
            logout_parameter_name="logout"
        )
    )
    +

    Certain parts of the resource are configurable, according to which +other services may exist in or alongside the deployed application.

    -

    WebStack API - LoginRedirectResource Initialisation

    -

    The following parameters must be provided when initialising a LoginRedirectResource object:

    login_url
    -
    This specifies the location of the separate login application or - resource which presents a login screen to unidentified users and logs - them in.
    +
    This specifies the location of the separate login application or +resource which presents a login screen to unidentified users and logs +them in.
    app_url
    -
    This specifies the location of the application itself - it must - therefore be updated according to where the application is eventually - deployed.
    +
    This specifies the location of the application itself - it must +therefore be updated according to where the application is eventually +deployed.
    resource
    -
    This provides the resource object which contains the application - code, or at least the entry point into various parts of the application - code.
    +
    This provides the resource object which contains the application +code, or at least the entry point into various parts of the application +code.
    authenticator
    -
    This provides the authenticator object which decides whether a user - is recognised or not. The special - LoginRedirectAuthenticator is recommended and must itself - be configured using a secret_key parameter which is used - to protect user-related information exchanged over the network - the - value provided for secret_key must be unguessable and kept - secret from unauthorised individuals.
    +
    This provides the authenticator object which decides whether a +user is recognised or not. The special LoginRedirectAuthenticator +is recommended and must itself be configured using a secret_key +parameter which is used to protect user-related information exchanged +over the network - the value provided for secret_key must +be unguessable and kept secret from unauthorised individuals.
    anonymous_parameter_name
    -
    An optional parameter providing the name of a request parameter (see - "Request Parameters and Uploads") which, - if specified, permits a user to access an application without being - formally identified. If omitted, all users will be required to identify - themselves explicitly.
    +
    An optional parameter providing the name of a request parameter +(see "Request Parameters and Uploads") +which, if specified, permits a user to access an application without +being formally identified. If omitted, all users will be required to +identify themselves explicitly.
    anonymous_username
    -
    An optional parameter providing the name given to anonymous users - which is returned when a transaction's get_user method is - called. By default, anonymous is used for such users.
    +
    An optional parameter providing the name given to anonymous users +which is returned when a transaction's get_user method is +called. By default, anonymous is used for such users.
    logout_parameter_name
    -
    An optional parameter providing the name of a request parameter - which, if specified, permits a user to log out of an application. If - omitted, no means of logging out will be available, although deleting - browser cookies will probably have the desired effect.
    +
    An optional parameter providing the name of a request parameter +which, if specified, permits a user to log out of an application. If +omitted, no means of logging out will be available, although deleting +browser cookies will probably have the desired effect.
    logout_url
    -
    An optional parameter which indicates the location of the resource - visited when a user logs out. By default, the location is a path to the - root resource in the server environment of the application.
    +
    An optional parameter which indicates the location of the +resource visited when a user logs out. By default, the location is a +path to the root resource in the server environment of the application.
    use_logout_redirect
    -
    An optional parameter which determines whether users logging out of - an application will be redirected to the logout_url or - not. By default, users are redirected, but if a false value is given - for this parameter, a simple page is presented to the user informing - them of the situation - it is recommended that a subclass of - LoginRedirectResource be employed should more informative - pages be required.
    +
    An optional parameter which determines whether users logging out +of an application will be redirected to the logout_url or +not. By default, users are redirected, but if a false value is given +for this parameter, a simple page is presented to the user informing +them of the situation - it is recommended that a subclass of LoginRedirectResource +be employed should more informative pages be required.
    - -

    Redirection From/To the Application

    - -

    Some server/framework environments do not permit automatic redirection -back to the application, notably Apache/mod_python. In such cases, a success -screen is presented to the user with a link to the application they were +

    Redirection from/to the Application

    +

    Some server/framework environments do not permit automatic +redirection +back to the application, notably Apache/mod_python. In such cases, a +success +screen is presented to the user with a link to the application they +were attempting to access.

    -

    The Role of Authenticators

    - -

    In this mechanism, authenticators are employed, but only to verify the +

    In this mechanism, authenticators are employed, but only to verify +the credentials of users when LoginResource or -LoginRedirectResource objects are accessed. Although it should +LoginRedirectResource objects are accessed. Although it +should be possible to reuse application-wide authenticator classes in conjunction with LoginResource, such classes will not provide the additional functionality required to support the "single sign-on" aspects of this mechanism - mixing in such -classes with LoginAuthenticator may provide a solution to this +classes with LoginAuthenticator may provide a solution to +this issue, however.

    -

    Deploying a Login Application

    - -

    In order for this authentication mechanism to function in its entirety, a +

    In order for this authentication mechanism to function in its +entirety, a login application (or resource) must be available to authenticate -unidentified users. It may already be the case that such an application has +unidentified users. It may already be the case that such an application +has been deployed and is available at a certain URL - if so, it should be -sufficient for a LoginRedirectResource object to be configured -as described above, making sure that the login_url actually +sufficient for a LoginRedirectResource object to be +configured +as described above, making sure that the login_url +actually refers to the location of the existing login application, and that the -authenticator object's secret_key is consistent +authenticator object's secret_key is +consistent with the way the existing login application has been set up.

    - -

    However, if no existing login application (or resource) exists, one may be +

    However, if no existing login application (or resource) exists, one +may be deployed using adapter code similar to the following:

    -
    from WebStack.Adapters.BaseHTTPRequestHandler import deploy
-from WebStack.Resources.Login import LoginResource, LoginAuthenticator
-
-deploy(
-    LoginResource(                   # This is the login application's main resource.
-        LoginAuthenticator(          # This provides authentication support.
-            secret_key="horses",
-            credentials=(
-                ("badger", "abc"),
-                ("vole", "xyz"),
-            )
-        )
-    ),
-    address=("", 8081)
-)
    - +
    from WebStack.Adapters.BaseHTTPRequestHandler import deploy
    from WebStack.Resources.Login import LoginResource, LoginAuthenticator

    deploy(
        LoginResource(                   # This is the login application's main resource.
            LoginAuthenticator(          # This provides authentication support.
                secret_key="horses",
                credentials=(
                    ("badger", "abc"),
                    ("vole", "xyz"),
                )
            )
        ),
        address=("", 8081)
    )

    The above code merely starts a login application in the -BaseHTTPRequestHandler environment at a specific address (which corresponds +BaseHTTPRequestHandler environment at a specific address (which +corresponds to that specified in the login_url of the LoginRedirectResource used above) and provides a LoginAuthenticator object configured to use a secret_key (which corresponds to the secret_key used in the authenticator of the -LoginRedirectResource above) and some user credentials. The user -credentials define which users are to be recognised for applications which +LoginRedirectResource above) and some user credentials. +The user +credentials define which users are to be recognised for applications +which employ this login application, along with the password details of each user.

    -

    WebStack API - LoginAuthenticator Credentials

    -

    When initialising a LoginAuthenticator object with credentials, the supplied credentials object must support tests on its contents of the following form:

    (username, password) in credentials
    -

    In other words, the credentials object must either be a sequence of username and password tuples, or it must implement the -__contains__ method and accept such tuples as arguments to that +__contains__ method and accept such tuples as arguments to +that method.

    -

    Anonymous Access

    - -

    With the LoginRedirect and Login modules, it is +

    With the LoginRedirect and Login +modules, it is possible to declare a particular request parameter (see -anonymous_parameter_name above) which must be present in the URL -used to access a particular application for the client to be given anonymous -access. Consequently, anonymous users are then identified specially with a +anonymous_parameter_name above) which must be present in +the URL +used to access a particular application for the client to be given +anonymous +access. Consequently, anonymous users are then identified specially +with a special username that can also be configured (see anonymous_username above).

    -

    Logout Functions

    - -

    With the LoginRedirect and Login modules, it is +

    With the LoginRedirect and Login +modules, it is possible to declare a particular request parameter (see -logout_parameter_name above) which must be present in the URL -used to access a particular application for the client to be logged out. A +logout_parameter_name above) which must be present in the +URL +used to access a particular application for the client to be logged +out. A special logout confirmation URL may also be configured (see logout_url and use_logout_redirect above).

    diff -r 32b0191a49e4 -r 0643717492e2 docs/securing.html --- a/docs/securing.html Sat Apr 30 00:22:03 2005 +0000 +++ b/docs/securing.html Sat Apr 30 20:31:51 2005 +0000 @@ -1,32 +1,28 @@ - - + Securing a WebStack Application - + -

    Securing a WebStack Application

    - -

    Making sure that Web applications are "secure" involves many different -aspects of application design, deployment and administration. This document -covers only the usage of the authentication features of the WebStack API.

    - +

    Making sure that Web applications are "secure" involves many +different +aspects of application design, deployment and administration. This +guide currently only covers the usage of the authentication features of +the WebStack API.

    Authentication in WebStack

    - -

    There are two principal methods of introducing authentication and applying +

    There are two principal methods of introducing authentication and +applying access control to WebStack applications:

    -

    Here is a comparison of the features of these mechanisms:

    - - +
    @@ -35,22 +31,41 @@ - - + + - - + +
    DeploymentSome Web server configuration required.
    - Application only requires an additional object for - authentication.    		An additional login application or resource must be deployed. +
      +
    • Some Web server configuration required.
      • +
    • The application only requires an additional object to be +instantiated to support authentication.
      • +
    +     		+
      +
    • An additional login application or resource must be +deployed.
      • +
    +
    FlexibilityPossibly inflexible user experience - users may only get the login - dialogue; probably no logout function.
    - HTTP-style authentication is well understood and supported when - automating client access.    		The login and logout activities can be customised to suit the - appearance of the rest of the application.
    - Many applications can share the same login application, providing a - "single sign-on" experience and potentially reduced administrative - overhead.    		 +
      +
    • The user experience may seem too inflexible or unfriendly - +users may only get the login dialogue.
      • +
    • There is also probably no logout function, since it +requires browser support.
      • +
    • HTTP-style authentication is well understood and supported +when automating client access.
      • +
    +     		+
      +
    • The login and logout activities can be customised to suit +the appearance of the rest of the application.
      • +
    • Many applications can share the same login application, +providing a "single sign-on" experience and potentially reduced +administrative overhead.
      • +
    +
    diff -r 32b0191a49e4 -r 0643717492e2 docs/sessions-servers.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/docs/sessions-servers.html Sat Apr 30 20:31:51 2005 +0000 @@ -0,0 +1,64 @@ + + + + + Server Environment Support for Sessions + + + + +

    Server Environment Support for Sessions

    +

    Various server environments or frameworks do not support sessions +directly. In order to provide primitive support for sessions within +WebStack upon such frameworks, the WebStack.Helpers.Session +module is used to provide a simple file-based session store. Before +deploying an application on one of these frameworks, it is necessary to +create a directory called WebStack-sessions in a +particular location so that the storage of session information will +work.

    +

    The location of the WebStack-sessions directory +depends on the framework as summarised below:

    + + + + + + + + + + + + + + + + + + + + + + + +
    Server EnvironmentDirectory Location
    BaseHTTPRequestHandlerThe directory where the +server is run.
    CGIThe directory where the +handler resides.
    mod_pythonThe server root (such +as /usr/local/apache2).
    TwistedThe directory where the +server is run.
    +

    Note that the WebStack-sessions directory must +have the appropriate ownership and privileges necessary for the server +or framework to write session information into it.
    +

    +

    Unsupported Environments and Framework Issues

    + + + diff -r 32b0191a49e4 -r 0643717492e2 docs/sessions-usage.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/docs/sessions-usage.html Sat Apr 30 20:31:51 2005 +0000 @@ -0,0 +1,70 @@ + + + + + Using Sessions + + + + +

    Using Sessions

    +

    Unlike cookies, session information is always stored on the server +and is not communicated back to the user. Consequently, sessions have +several advantages over cookies, and the uses of sessions may include +the storage of...

    + +
    +

    WebStack API - Using Sessions

    +

    In WebStack, a session appears as a dictionary to applications and +is acquired for a specific user through the transaction +object. The following methods are provided in the transaction for +accessing and maintenance of session information:

    +
    +
    get_session
    +
    This method returns the session for the identified user. The create +parameter can be set to a true value to create a new session for a user +if no session previously existed; otherwise None is +returned in such situations.
    +
    expire_session
    +
    This method causes the session information associated with the +identified user to be forgotten. Note that this may not really happen +until the user sends another request, and that the get_session +method may still return the current session.
    +
    +

    Session objects, which resemble dictionaries, employ plain Python +strings as keys in the accessing of information, and as the values +loaded and stored inside the session. Unlike cookies, upon setting +information within a session, such information is remembered thereafter +without any other actions being necessary to make that information +permanent or persistent.

    +
    +
    +
    +

    How and When to Access Sessions

    +

    To find out if a session has already been created, ask for a session +by specifying that one should not be automatically created:

    +
            # In the respond method...
            session = trans.get_session(create=0)    # session is None if no session already exists
    +

    To ensure that a session exists, just ask for a session:

    +
            # In the respond method...
            session = trans.get_session()            # this is the same as using create=1
    +

    Session contents may mostly be accessed like dictionaries, so to +access the keys within a session the following code could be used:

    +
            # In the respond method after obtaining a session...
            for key in session.keys():
                [Do something with the key - perhaps obtain values.]
    +

    To test the presence of a key, and to access values associated with +a key, the usual dictionary methods apply:

    +
            # In the respond method after obtaining the session...
            if session.has_key("my_data"):
                my_data = session["my_data"]
                [Do something with my_data.]
                session["my_data"] = my_data
    +

    The session for the user may be removed or "expired" as follows:

    +
            # In the respond method...
            trans.expire_session()
    +

    Note that WebStack automatically knows which session is to be +expired since only one such session can exist for the identified user.

    + + diff -r 32b0191a49e4 -r 0643717492e2 docs/sessions.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/docs/sessions.html Sat Apr 30 20:31:51 2005 +0000 @@ -0,0 +1,67 @@ + + + + + Sessions and Persistent Information + + + + +

    Sessions and Persistent Information

    +

    The term "session" is a technical term describing information which +is remembered by an application for a particular user. Sessions work in +conjunction which other mechanisms - typically cookies +and user identifiers - like this:

    +
      +
    1. The application finds out who the user is - this information may +be recorded in a cookie or be associated +with a request in some other way.
      2. +
    2. It then accesses a data store containing information associated +different users.
      3. +
    3. Finally, it accesses information specific to the stated user - +this is that particular user's session.
      4. +
    +

    Sessions vs. Persistent Information

    +

    Information can be said to be "persistent" when it is +remembered beyond the lifetime of a particular request to an +application. Sessions, meanwhile, are effectively a special case of +persistent information - data is addressed or accessed using each +user's identity, and the information is partitioned in such a way that +sessions cannot be shared between users.

    + + + + + + + + + + + + + + + + + + +
    SessionsPersistent Information
    AccessThrough user identity.Through any relevant +concept: users, documents, orders, products, locations - anything an +application might want to remember.
    PartitioningBy user identity. Each +user has its own private data store.Arbitrary. Many data +stores or data sources may be set up. The data may be shared across the +entire application or there may be access controls in place.
    +

    Access to persistent information in general can be done by using +database access libraries, for example - see "Integrating +with Other Systems" for more details.

    +

    More About Sessions

    + + + diff -r 32b0191a49e4 -r 0643717492e2 docs/users.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/docs/users.html Sat Apr 30 20:31:51 2005 +0000 @@ -0,0 +1,43 @@ + + + + + Users and Authentication + + + + +

    Users and Authentication

    +

    One way of discovering the identity of the user sending a request +into your application is to test the identity using methods on the +transaction object. Before this can be made to work, you must set +up authentication for your application, as described in "Securing a WebStack Application". Once +authentication is working, every request that arrives in the +application will have the identity of the user attached automatically.

    +

    Uses of User Identity

    +

    Having access to a user's identity can be useful in making decisions +about which operations that user is able to perform within your +application. Moreover, the user identity provided by authentication +mechanisms can tell you more about who that user is, as opposed to +typical session information which, on its own, can only really confirm +that the user in question has visited the application before.

    +
    +

    WebStack API - User Identity

    +

    Transaction objects have the following methods for inspecting and +redefining the identity of users:

    +
    +
    get_user
    +
    This gets the name of the user attempting to access the +application.
    +
    set_user
    +
    This sets the name of the user, thus affecting subsequent calls +to get_user, allowing certain parts of an application to +view users according to other criteria than their basic username - for +example, one might use set_user to redefine each user's +identity in terms of the role that user may have in an application.
    +
    +
    + +