Jeff, So, apologies on some of the comments being in relation to old code. I printed it out the day you first commited and didn't download the changes before commenting. My bad. This whole project is developing at such a blazing speed, it's hard to keep up.
Please let us know how your thinking develops with regards to the removal of cookies. Since the application I'm developing must use both a browser and a thin client (via XML-RPC), I've been thinking of cannibalizing the session management code in cherrypy It would make my life easier in the long run if I could maintain state regardless of which client is used, and that means removing cookies from the regular session management, as well as providing an interface for tacking on and removing state variables from XML-RPC calls. Let me know if this interests you and I'll keep you up to date. I'm not sure whether this interests the cherrypy folks or not. Regarding the secret token, I would think verifying the IP address would provide greater security bang for the buck than creating a new token each request. As it turns out, I'll need a tremendous amount of security for my own project, far more than you or tg in general should be expected to provide. Nevertheless, I'll keep tg in mind while developing so, if applicable, perhaps I can introduce it later. Regarding the init file, I'm specifically referring to throwing the code in the __init__.py file, not the ability to configure. The comment was somewhat tongue-in-cheek. The only reason I mentioned it was because IF the identity code ever shares its directory with other code and IF other code uses the same init file, the code will become entangled with other stuff. I realize it's a cosmetic issue only (although, down the road, it might matter). Then again, perhaps I'm missing something. Perhaps you have to use the __init__.py file for some reason? The convention I've seen is that __init__.py files generally contain code that truly only initializes stuff (and most often is empty); code that implements business logic is stored in its own aptly named file. I'm reeeeally new to cherrypy (3 weeks) and relatively new to python (5 weeks), so take these comments with a grain of salt.
