From bknr@bknr.net Wed Feb 18 22:15:00 2009 From: BKNR Commits To: bknr-cvs@common-lisp.net Subject: [bknr-cvs] edi changed trunk/thirdparty/hunchentoot/ Date: Wed, 18 Feb 2009 23:12:41 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3979258967521433474==" --===============3979258967521433474== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Revision: 4283 Author: edi URL: http://bknr.net/trac/changeset/4283 Sessions U trunk/thirdparty/hunchentoot/doc/index.xml U trunk/thirdparty/hunchentoot/session.lisp Modified: trunk/thirdparty/hunchentoot/doc/index.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- trunk/thirdparty/hunchentoot/doc/index.xml 2009-02-18 21:25:42 UTC (rev 4= 282) +++ trunk/thirdparty/hunchentoot/doc/index.xml 2009-02-18 22:12:41 UTC (rev 4= 283) @@ -1136,16 +1136,6 @@ not too old. Old sessions are automatically removed.

-For everyday session usage, you will probably just -use START-SESSION, -SESSION-VALUE, -maybe DELETE-SESSION-VALUE -and *SESSION*. However, there are two ways to -customize the way Hunchentoot maintains sessions: -

=20 SESSION objects are @@ -1218,6 +1208,29 @@ =20 + + session + + | + + Completely removes +the SESSION object session +from Hunchentoot's internal session +database. + + + + + + + + | + + Removes all stored sessions. + + + + Whether HTML pages should possibly be rewritten for co= okie-less session-management. @@ -1231,38 +1244,7 @@ =20 - - A session GC (see function SESSION-GC) will happen every -*SESSION-GC-FREQUENCY* requests (counting only -requests which create a new session) if this variable is -not NIL. See SESSION-CREATED. - - =20 - - The default time (in seconds) after which a session ti= mes out. - - - - - A function of one argument -(a SESSION object) which is called whenever a -session is garbage-collected. - - - - - A random ASCII string that's used to encode -the public session data. This variable is initially unbound and will -be set (using RESET-SESSION-SECRET) the first -time a session is created, if necessary. You can prevent this from -happening if you set the value yourself before -starting acceptors. - - - - - Whether the client's remote IP (as returned by REAL-REMOTE-ADDR) should be encoded into the session string. If this value is true, a @@ -1274,97 +1256,208 @@ =20 + + session + + remote-addr + + +The remote IP address of the client when this session was started as +returned by REAL-REMOTE-ADDR. + + + + - Whether the 'User-Agent' header should be en= coded into the session -string. If this value is true, a session will cease to be accessible -if the client sends a different 'User-Agent' header. + Whether the 'User-Agent' header should +be encoded into the session string. If this value is true, a session +will cease to be accessible if the client sends a different +'User-Agent' header. =20 - - - acceptor + + session - id + user-agent - Returns the next sequential session ID, an -integer, which should be unique per session. The default method uses -a simple global counter and isn't guarded by a lock. For a -high-performance production environment you might consider to use a -more robust implementation. + +The incoming 'User-Agent' header that +was sent when this session was created. =20 =20 - + session + max-time + + +Gets or sets the time (in seconds) after +which session expires if it's not used. + + + + + + The default time (in seconds) after which a session ti= mes out. + + + + + A session GC (see function SESSION-GC) will happen every +*SESSION-GC-FREQUENCY* requests (counting only +requests which create a new session) if this variable is +not NIL. See SESSION-CREATED. + + + + + + | - Completely removes the SESSION object SESSION from Hun= chentoot's -internal session database. + Removes sessions from the current session database whi= ch are too +old - see SESSION-TOO-OLD-P. =20 - - + + session - secret + generalized-boolean - Sets *SESSION-SECRET* to a new random value. All old s= essions will -cease to be valid. + Returns true if the SESSION objec= t session has not been active in +the last (session-max-time session) seconds. =20 - + + + A function of one argument +(a SESSION object) which is called whenever a +session is garbage-collected. + + + + + + + + + +For everyday session usage, you will probably just +use START-SESSION, +SESSION-VALUE, +maybe DELETE-SESSION-VALUE +and *SESSION*. However, there are two ways to +customize the way Hunchentoot maintains sessions. +

+One way is to mostly leave the session mechanism intact but to tweak +it a bit: +

The publicly visible part of session is encoded using a +secret which you can set yourself.
And it is stored using a cookie (or GET +parameter) name that you can +override.
Each session receives a new ID when +it is created and you can implement a more robust way to do that.
You can arrange to be called whenever a session +is created to trigger some action. You +might also do this to invent your own +session garbage collection.
By default, all sessions are stored in a global alist in memory. +You can't change the alist part, but you can distribute your sessions +amongst different "databases".
By default, every operation which modifies sessions or one of the +session databases is guarded by a global lock, but you can arrange to +provide different locks for this.

+The other way to customize Hunchentoot's sessions is to completely +replace them. This is actually pretty easy: Create your own class to +store state (which doesn't have to and probably shouldn't inherit +from SESSION) and implement methods for +SESSION-VERIFY +and SESSION-COOKIE-VALUE - that's it. +Hunchentoot will continue to use cookies and/or to rewrite URLs to +keep track of session state and it will store "the current session" +(whatever that is in your implementation) +in *SESSION*. Everything else (like persisting +sessions, GC, getting and setting values) you'll have to take care of +yourself and the other session functions +(like START-SESSION or +SESSION-VALUE) won't work anymore. (Almost) +total freedom, but a lot of responsibility as well... :) +

+ + + A random ASCII string that's used to encode +the public session data. This variable is initially unbound and will +be set (using RESET-SESSION-SECRET) the first +time a session is created, if necessary. You can prevent this from +happening if you set the value yourself before +starting acceptors. + + + + - | + secret - Removes ALL stored sessions. + Sets *SESSION-SECRET* to a +new random value. All old sessions will cease to be valid. =20 + +

acceptor

name - Returns the name (a string) of the cookie (or the -GET parameter) which is used to store a session on the client side. -The default is to use the string "hunchentoot-session", but you can + Returns the name (a string) of the cookie (or +the GET parameter) which is used to store a session on the client +side. The default is to use the +string "hunchentoot-session", but you can specialize this function if you want another name. =20 - - session - - string - - Returns a string which can be used to safely -restore the session SESSION if as session has already been -established. This is used as the value stored in the session cookie -or in the corresponding GET parameter. A default method is provided -and there's no reason to change it unless you want to use your own -session objects. - - -

acceptor new-session

result - This function is called whenever a new session has -been created. There's a default method which might trigger a session -GC based on the value of *SESSION-GC-FREQUENCY*. + This function is called whenever a new session +has been created. There's a default method which might trigger +a session GC based on the value of +*SESSION-GC-FREQUENCY*.

The return value is ignored.

=20 + + + acceptor + + id + + Returns the next sequential session ID, an +integer, which should be unique per session. The default method uses +a simple global counter and isn't guarded by a lock. For a +high-performance production environment you might consider to use a +more robust implementation. + + + acceptor @@ -1372,8 +1465,8 @@ Returns the current session database which is an alist where each car is a session's ID and the cdr is the -corresponding SESSION object itself. The default is to use a global -list for all acceptors. +corresponding SESSION object itself. The default +is to use a global list for all acceptors. =20 @@ -1384,67 +1477,23 @@ lock - A function which returns a lock that will be used -to prevent concurrent access to sessions. The first argument will be -the acceptor that handles the current request, the second argument is -true if the whole (current) session database is modified. If it is -NIL, only one existing session in the database is modified. - -This function can return NIL which means that sessions or session -databases will be modified without a lock held (for example for -single-threaded environments). The default is to always return a -global lock (ignoring the ACCEPTOR argument) for Lisps that support -threads and NIL otherwise. + A function which returns a lock that will be +used to prevent concurrent access to sessions. The first argument +will be the acceptor that handles the +current request, the second argument is true +if the whole (current) session database is modified. If it +is NIL, only one existing session in the database is +modified. +

+This function can return NIL which means that sessions or +session databases will be modified without a lock held (for example +for single-threaded environments). The default is to always return a +global lock (ignoring the acceptor argument) for +Lisps that support threads and NIL otherwise. +

=20 - - - - | - - Removes sessions from the current session database whi= ch are too -old - see SESSION-TOO-OLD-P. - - - - - session - - max-time - - - - - - - session - - remote-addr - - - - - - - session - - generalized-boolean - - Returns true if the SESSION object SESSION has not bee= n active in -the last (SESSION-MAX-TIME SESSION) seconds. - - - - - session - - user-agent - - - - - request @@ -1452,16 +1501,31 @@ Tries to get a session identifier from the cookies (or alternatively from the GET parameters) sent by the client. This -identifier is then checked for validity against the REQUEST object -REQUEST. On success the corresponding session object (if not too -old) is returned (and updated). Otherwise NIL is returned. - +identifier is then checked for validity against the REQUEST object +request. On success the corresponding session object (= if not too +old) is returned (and updated). Otherwise NIL is returned. +

A default method is provided and you only need to write your own one if you want to maintain your own sessions. +

=20 + + session + + string + + Returns a string which can be used to safely +restore the session session if as session has +already been established. This is used as the value stored in the +session cookie or in the corresponding GET parameter. A default +method is provided and there's no reason to change it unless you +want to use your own session objects. + + =20 + =20 Modified: trunk/thirdparty/hunchentoot/session.lisp =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- trunk/thirdparty/hunchentoot/session.lisp 2009-02-18 21:25:42 UTC (rev 42= 82) +++ trunk/thirdparty/hunchentoot/session.lisp 2009-02-18 22:12:41 UTC (rev 42= 83) @@ -96,8 +96,8 @@ was sent when this session was created.") (remote-addr :initform (real-remote-addr *request*) :reader session-remote-addr - :documentation "The remote IP address of the client when -this sessions was started as returned by REAL-REMOTE-ADDR.") + :documentation "The remote IP address of the client +when this session was started as returned by REAL-REMOTE-ADDR.") (session-start :initform (get-universal-time) :reader session-start :documentation "The time this session was started.") --===============3979258967521433474==--