Hi Lukas!
Please use the mailing list for further questions and comments. Thanks.
On Fri, 25 Feb 2005 11:55:18 +0000, Lukas Trejtnar l.trejtnar@open.ac.uk wrote:
I have been using the mod_lisp module for a couple of years where I written a Lisp counterpart myself. I didn't implement a session/cookie management and because of that would like to start using your TBNL library. It looks like a great piece of work.
Thanks... :)
I was reading through a documentation of TBNL and not sure about testing session expiration. My scenario would be a login page where a user would authorise and a new session would be created, then a user would browse pages and the session would be every time checked if it didn't expire. If it did, a user would be redirected to the login page. It's a standard scenario, I guess. Here comes my question.
How do I hook up 'session expires' to the authorisation? After reading the documentation, I assume, that I would modify a value of *session-removal-hook* to redirection function. Is it how you designed it? Do you have any practical examples?
I'm not sure I fully understand your question, or maybe we're talking about different things.
If you're using TBNL's session facility you don't have to keep track of session expiry yourself - TBNL will do that for you. If you have the same idea about session expiry that TBNL has, that is. Each session object has a slot which holds the number of seconds this session is valid without user interaction - see the docs for SESSION-MAX-TIME.[1] If the user is idle longer than this period then the session will be automatically invalidated. This doesn't necessary mean that the session object is garbage-collected at this point but it /does/ mean that you can't access the session object anymore, i.e. TBNL will behave as if there had never been a session object.
In other words: Usually you shouldn't have to care about *SESSION-REMOVAL-HOOK*, it's a finalizer kind of thing that's rarely useful.
Now, sessions aren't necessarily related to authorization but they can be used for it. One approach that I've been using is the following: After a successful login the server stores some kind of object in the session which "proofs" that the user is authorized, like this:
(setf (session-value 'user) (make-foo-object))
Then I can wrap all pages requiring authorization into a macro that looks like this (untested):
(defmacro with-authorization (&body body) `(cond ((is-foo-object (session-value 'user)) ,@body) (t (redirect "/login-page.html"))))
Does that answer your question?
Cheers, Edi.
PS: I'll be away for two days so I probably won't answer before monday.
[1] Just noticed that the default value (30 minutes) isn't documented and *SESSION-MAX-TIME* isn't exported. This'll be fixed in a future release.
On 2005-02-25 21:33:56, Edi Weitz wrote:
SESSION-MAX-TIME.[1] If the user is idle longer than this period then the session will be automatically invalidated. This doesn't necessary mean that the session object is garbage-collected at this point but it /does/ mean that you can't access the session object anymore, i.e. TBNL will behave as if there had never been a session object.
But I hope the session will be removed at some time, even when nobody tries to access an expired session?
On Fri, 25 Feb 2005 22:35:18 +0100, Stefan Scholl stesch@no-spoon.de wrote:
But I hope the session will be removed at some time, even when nobody tries to access an expired session?
Yes, see the code for SESSION-GC. It will be removed at some time unless nobody tries to access any session at all, whether expired or not.
To make this more clear:
1. Whenever you try to access an expired session it will be automatically removed and thus your Lisp is free to garbage-collect it now.
2. Whenever any session whatsoever is accessed a global counter is increased and at certain intervals (there's a special variable for that but I don't think it's exported) all sessions which are expired will be removed even if their users haven't accesses them.
This implies that sessions might stay in the Lisp image for a long time (although expired) /if/ there's no traffic /or/ if there's only traffic that doesn't use sessions.
The alternative would be a separate thread which checks for expired session independently of server traffic. I think that's overly complex, though, and the benefit of the current solution is that it kind of automatically adapts to the server load.
Cheers, Edi.
On Fri, Feb 25, 2005 at 10:51:17PM +0100, Edi Weitz wrote:
The alternative would be a separate thread which checks for expired session independently of server traffic. I think that's overly complex, though, and the benefit of the current solution is that it kind of automatically adapts to the server load.
An option I've used in the past and intend to use with TBNL in the future is to have a set of URLs with access restrictions and whose handlers perform required periodic tasks. Then you could do something like this from cron:
30 * * * * wget http://my.site.com/secret/hourly-stuff
(This sort of thing is not needed for sessions for the reasons you provide, but I thought I'd bring up the possibility of a non-thread solution for tasks that need to be done periodically.)
Zach
-
Edi Weitz -
Stefan Scholl -
Zach Beane