Dieter Maurer wrote:
> Phillip J. Eby writes:
> > The actual lifetime of a browser ID will be controllable by the Zope site
> > manager. I agree with you, however, in that the default lifetime should be
> > reasonable. Indeed, I would suggest that the default simply be to use
> > cookies with no expiration date, and which therefore only live so long as
> > the user's browser is open, be it minutes or days.
> I would be very happy with this.
Good, that's what it is now. :-)
> > As I understand it, the "Access Session Data" permission gives you the
> > right to call a method that returns you the session data for the current
> > request, but does not give you the right to access arbitrary session data.
> > Thus, one only has permission to see one's own session data.
> Do we need a special permission for this?
> All users will have it (when sessions are used at all).
> Thus, why clutter the (already cluttered) security management screen
> with an additional permission.
It is advantageous to prevent certain users from accessing session data
(such as nonanonymous, non-management users with TTW scripting
capabilites) so they cannot arbitrarily examine session data values.
Digital Creations, Publishers of Zope
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -