Hi Lukas!
Please use the mailing list for further questions and comments.
Thanks.
On Fri, 25 Feb 2005 11:55:18 +0000, Lukas Trejtnar <l.trejtnar(a)open.ac.uk> wrote:
> I have been using the mod_lisp module for a couple of years where I
> written a Lisp counterpart myself. I didn't implement a
> session/cookie management and because of that would like to start
> using your TBNL library. It looks like a great piece of work.
Thanks... :)
> I was reading through a documentation of TBNL and not sure about
> testing session expiration. My scenario would be a login page where
> a user would authorise and a new session would be created, then a
> user would browse pages and the session would be every time checked
> if it didn't expire. If it did, a user would be redirected to the
> login page. It's a standard scenario, I guess. Here comes my
> question.
>
> How do I hook up 'session expires' to the authorisation? After
> reading the documentation, I assume, that I would modify a value of
> *session-removal-hook* to redirection function. Is it how you
> designed it? Do you have any practical examples?
I'm not sure I fully understand your question, or maybe we're talking
about different things.
If you're using TBNL's session facility you don't have to keep track
of session expiry yourself - TBNL will do that for you. If you have
the same idea about session expiry that TBNL has, that is. Each
session object has a slot which holds the number of seconds this
session is valid without user interaction - see the docs for
SESSION-MAX-TIME.[1] If the user is idle longer than this period then
the session will be automatically invalidated. This doesn't necessary
mean that the session object is garbage-collected at this point but it
/does/ mean that you can't access the session object anymore,
i.e. TBNL will behave as if there had never been a session object.
In other words: Usually you shouldn't have to care about
*SESSION-REMOVAL-HOOK*, it's a finalizer kind of thing that's rarely
useful.
Now, sessions aren't necessarily related to authorization but they can
be used for it. One approach that I've been using is the following:
After a successful login the server stores some kind of object in the
session which "proofs" that the user is authorized, like this:
(setf (session-value 'user) (make-foo-object))
Then I can wrap all pages requiring authorization into a macro that
looks like this (untested):
(defmacro with-authorization (&body body)
`(cond ((is-foo-object (session-value 'user))
,@body)
(t (redirect "/login-page.html"))))
Does that answer your question?
Cheers,
Edi.
PS: I'll be away for two days so I probably won't answer before
monday.
[1] Just noticed that the default value (30 minutes) isn't documented
and *SESSION-MAX-TIME* isn't exported. This'll be fixed in a
future release.