Hi Serge, > The sessions we are talking about are not real sessions. Real sessions are > not > possible with current Web protocols. We can talk only about session > surrogates. > Because of this, when I hear cookies I am thinking "sessions" - support for > cookies is already support for those faked sessions. And of course this is > not > the only way to fake sessions (but most popular).
I genuinely don't fully understand the distinction of a "surrogate" or "fake" session versus a "real" one in this context. This is probably a failure of my education. Can you (or someone else who gets this) give me a reference to some reading material? > The problem is that, most likely, home-grown-cookies-based-sessions will be > really bad - there is one big problem that strangely missing in this > discussion. > Security. Yes, there are problems with scalability, memory management - but > these, as strange as it may sound, are not immediate problems. The security > is. What is a good reference implementation of a sufficiently secure system that could be emulated or connected to in Restlet? Who does it "right?" I'm not being facetious, I'm asking so that I can study it and propose some ideas, write or adapt an external library that provides what you asked for. > This purism in its belief in what is right and what is not usually does not > end > up in great successes. This reminds me of the "prohibition" experiments in > America. Guess what, if you think you can prohibit alcohol by changing > constitution (because it's bad and people sometimes DUIs) - people are not > going > to listen to you even if it's in the constitution. I'm sorry if you got the impression that censorship or prohibition is going on. Still, you made your case in a public forum that Restlet should contain a session mechanism. I feel pretty strongly that it shouldn't, so I responded. I think that people should have easy access to any number of session (or "session surrogate") mechanisms that adapt as easily as HTTP servers and clients to Restlet, but I don't think that Restlet should contain or provide its own. This amounts to an "establishment of religion" that I feel strongly would be poisonous. To overextend the metaphor: I certainly don't advocate prohibition of alcohol. But I also don't advocate the government canonizing Jack Daniels as the national drink and issuing a bottle to every taxpayer of drinking age. Just let people choose something instead of being spoon-fed a solution. Is that an unreasonable position? > I would also like to point out > that software engineers and Web developers will not be the only judges. You > will > also have project managers and security folks and, at the end, users. On that, we fully agree. Peace, - R
