I do not agree with item 1. Session data should never be stored client-side as it opens a rather large attack vector. The only thing which should be stored client-side is the session token in a secure, HTTPOnly cookie (which web2py currently supports). If cookies are disabled, a hidden POST field might be acceptable. Please do not store session data client-side.
References: http://www.owasp.org/index.php/Session_Management http://www.technicalinfo.net/papers/WebBasedSessionManagement.html OWASP Top 10 On Jul 29, 5:05 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > The speaker raises some good issue with Django and some do apply to > web2py > > Aside for the many jokes which are indeed funny he complains about > scalability and make these valid points: > > 1) session should be stored client side for scalability (web2py and > Django both store them server side, although it it would be trivial to > have a client side option and it is on my todo list, I will take a > patch if somebody does this first) > > 2) it is important to be able to connect to multiple databases > depending on the request (Django cannot do it, web2py can) I also just > added a modification in trunk that allows to do: > > db=DAL([uri1,uri2,uri3]) > > and it will try to connect to uri1, then uri2, then uri3. Of course > you can do > > db=DAL(random_permute(uri1,uri2,uri3)) > > to share the load at random. web2py will also try them all in case of > failure and re-try 5 times. > > 3) it would be nice if the ORM and DAL were to be smart about de- > normalization and about multiple db connection. There is a lot that > can be done in this direction. web2py allows an easy API to > denormalize many2many: > > # define some shortcuts > D,F=db.define_table, Field > # define a table dog, a person, and ownership > d=D('dog',F('name')) > p=D('person',F('name'),F('dogs')) > L=D('ownership',F('person',p),F('dog',d)) > # denormalize p.dogs > p.dogs.requires=IS_IN_DB(db,d.id,d.name,multiple=True) > # p.dogs will be used in forms, when it changes update L > def f(form): > db(L.person==form.vars.id).delete() > [L.insert(person=form.var.id,dog=k) for k in > form.request_vars.dogs] > crud.settings.create_onaccept.person.append(f) > crud.settings.update_onaccept.person.append(f) > > In principle the job of the last 5 lines could be automated and be > done under the hood (what the user speaks about). It would be too much > magic but it would be convenient. We have been discussing some of > this. > > On Jul 29, 2:53 pm, Vidul Petrov <vidul.r...@gmail.com> wrote: > > > > > > > > > Django (the opposite of RoR) sucks likes RoR (the Denmark salesman vs > > the desparate Kanzas Python programmers ambitions to create everything > > out of nothing). > > > Probably you know what's the definition of the Nobel winners for > > intellect - adequacy. > > > And in order to achieve adequacy we need compromises - web2py. > > > On Jul 29, 7:08 pm, Wobmofo <muito...@gmail.com> wrote: > > > > Cal Henderson delivered a very enterteining keynote at DjangoCon 2008. > > > Go watch the video if you haven't, it's really funny > > > !http://www.youtube.com/watch?v=i6Fr65PFqfk
