Re: need help with sessions

Petr,

I also patched Enhydra to move the session id from pathinfo to querystring.
And, to avoid a lot of confusion with the servlet runner's session
management, I changed it's name from 'jsessionid' to a different identifier.

You ask how others do it - not sure I can answer because I'm not clear
exactly what you're trying to do.  If you want to limit concurrent sessions
that use the same user identity, you need to do that at the user class
level - it's not part of the Enhydra framework per se.  Otherwise, I'm not
sure why you're worried.  If a given user opens another browser and
authenticates as a different user, the fact that the original window now
reflects that different identity doesn't seem to me to be a problem (since,
to do this, the user must have access to both credentials to start with).

As far as session information, if I understand your question correctly, the
setUser() method is designed to simply associate a session with a given
user.  The details of that session are intended to be kept in the
SessionData object that is also associated with the session.

HTH,

Terry


----- Original Message -----
From: "Petr Stehlik" <pstehlik@xxxxxxxxxx>
To: <enhydra@xxxxxxxxxxx>
Sent: Wednesday, November 27, 2002 2:04 AM
Subject: Re: Enhydra: need help with sessions


> On Út, 2002-11-26 at 17:36, Terry Steichen wrote:
> > Petr,
> >
> > When you are using cookies for session management, if the user opens
another
> > browser window, it will use the same cookie as the first window.  If the
> > user logs out in one window and logs in as a different user, the
original
> > window will now also use the new session.
>
> I have been working on a patch for enhydra 5.0 that simply adds
> something like a session ID to each URL. But not via
> "URL;jsessionid=XXX?query" but as a part of the "query" - it's basically
> a modification of my UrlRndPar that appends a random time stamp.
>
> > If you pass the session id as
> > part of the url (rather than via cookies), this isn't an issue.
>
> I see. But I would like to keep using the cookies (it's simpler - e.g.
> with applet-servlet communication). Unfortunately Enhydra does not have
> a mode that would use both cookie and URL for passing the session id.
>
> How you others do it? Simply switch the session handling to the URL and
> forget about the cookie mode?
>
> Anyway, I would like to hear your opinion on the setUser() vs
> setSessionData(KEY) stuff. Do you use only the setUser() and keep all
> the session variables in the User class or do you use setSessionData()
> with a KEY - or even several different keys for different stuff in your
> application? What's the difference between SessionData and User classes
> when it comes to storing the session related info? Are they equivallent
> or do they differ somehow in handling? And what was the original idea
> behind this division for User and SessionData?
>
> Petr
>
>
>
> _______________________________________________
> Enhydra mailing list
> Enhydra@xxxxxxxxxxx
> http://www.enhydra.org/mailman/listinfo.cgi/enhydra