On Fri, May 2, 2014 at 2:42 PM, Jonathan Vanasco <[email protected]>wrote:
> The issue is in not having a direct association between a "session object" > and the "cookie value" which created it. > > A client-side session would always correspond to the incoming cookie > value. > > A server-side session could be associated with a cookie value that appears > in either the request or response cookies -- or neither in the case of > multiple invalidations. > > There's simply nothing that ties the originating cookie value to a given > session object. > It seems the struggle here is that the session is not exactly what you'd like to be tracking in most cases, but rather individual activity over time. Since sessions have a defined lifetime, security issues, etc they do not pass around a raw value and even if they do it's possible and likely that the value is not valid any longer. For example, a client can send an expired session cookie back as long as it damn well pleases and it's up to the server to ignore it. For tracking this just isn't great. At the end of the day it really seems to me like you need another cookie/identifier to accomplish your goals. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
