Hi Lukas!
Please use the mailing list for further questions and comments. Thanks.
On Fri, 25 Feb 2005 11:55:18 +0000, Lukas Trejtnar l.trejtnar@open.ac.uk wrote:
I have been using the mod_lisp module for a couple of years where I written a Lisp counterpart myself. I didn't implement a session/cookie management and because of that would like to start using your TBNL library. It looks like a great piece of work.
Thanks... :)
I was reading through a documentation of TBNL and not sure about testing session expiration. My scenario would be a login page where a user would authorise and a new session would be created, then a user would browse pages and the session would be every time checked if it didn't expire. If it did, a user would be redirected to the login page. It's a standard scenario, I guess. Here comes my question.
How do I hook up 'session expires' to the authorisation? After reading the documentation, I assume, that I would modify a value of *session-removal-hook* to redirection function. Is it how you designed it? Do you have any practical examples?
I'm not sure I fully understand your question, or maybe we're talking about different things.
If you're using TBNL's session facility you don't have to keep track of session expiry yourself - TBNL will do that for you. If you have the same idea about session expiry that TBNL has, that is. Each session object has a slot which holds the number of seconds this session is valid without user interaction - see the docs for SESSION-MAX-TIME.[1] If the user is idle longer than this period then the session will be automatically invalidated. This doesn't necessary mean that the session object is garbage-collected at this point but it /does/ mean that you can't access the session object anymore, i.e. TBNL will behave as if there had never been a session object.
In other words: Usually you shouldn't have to care about *SESSION-REMOVAL-HOOK*, it's a finalizer kind of thing that's rarely useful.
Now, sessions aren't necessarily related to authorization but they can be used for it. One approach that I've been using is the following: After a successful login the server stores some kind of object in the session which "proofs" that the user is authorized, like this:
(setf (session-value 'user) (make-foo-object))
Then I can wrap all pages requiring authorization into a macro that looks like this (untested):
(defmacro with-authorization (&body body) `(cond ((is-foo-object (session-value 'user)) ,@body) (t (redirect "/login-page.html"))))
Does that answer your question?
Cheers, Edi.
PS: I'll be away for two days so I probably won't answer before monday.
[1] Just noticed that the default value (30 minutes) isn't documented and *SESSION-MAX-TIME* isn't exported. This'll be fixed in a future release.