[Framework-Team] Re: PLIP 48 review notes

Fri Sep 15 17:57:53 UTC 2006

Hi Folks,

thanks for reviewing the bundle. I have a couple of remarks.

SessionCrumbler was not written for this. Instead its a well maintained
product which is in use some hundred production systems worldwide. Are
you sure you want a seperate (fork) of the SessionCrumbler codebase just
for layout reasons?

There is a thing called sessionlazycheck inside the SessionCrumbler
product. This is a tiny python module which allows code to check if
there is a session without actually creating one. This needs to be used 
anywhere inside the system where it might be required to get session
content (i have no idea if there are such places atm, but in the past
there have been a lot).

Really the two issues are non issues cause they are just documentation
issues. But i aggree that this change to plone needs to be known to the
CacheFu Devs.

Some other remark onto sessions. Imho we have to make sure that no
session is created for plone anoymous access. Regarding this would mean
only request without session are cacheable. As soon as a request has a
session it might be personalized and is not cacheable without further
consideration (at least this should be the default for html pages,
images (most important skin stuff) should be cached anytime). 

Best regards,
Simon

Am Dienstag, den 12.09.2006, 22:16 +0200 schrieb Wichert Akkerman:
> Changes from stock Plone
> ========================
> This bundle features two modifications from standard Plone:
> 
>  * adds the new SessionCrumbler product from collective
>  * Uses a modified PlonePAS
> 
> 
> PlonePAS modifications
> ----------------------
> 
> The PlonePAS modifications are restricted to deactivating the
> standard cookie authentication handler and installing the new
> credentials_session_auth plugin.
> 
> SessionCrumbler product
> -----------------------
> 
> One obvious remark is that this product does not comply with the current
> preferred layout: no seperate module for interfaces, and no plugins
> subdirectory - instead everything is put in a the top directory.
> 
> There is a lot of code to support non-PAS sites. Creating a new branch
> to remove all the legacy code, cleaning up the product structure and
> making a PAS-only release 
> 
> The PAS code itself is not complex and implements all require PAS interfaces
> correctly.
> 
> 
> Issues
> ======
> 
> The session cookie is stored in the _ZopeId cookie. This is not compatible
> with CacheFu, which checks only check for __ac cookies and the Authorization
> header. Since sessions are always a per-user thing this should be fixed in
> CacheFu (specifically its squid configuration).
> 
> Using sessions means that ZEO clusters will not work out of the box: the
> session storage is not shared between ZEO clients. This needs to be explicitly
> documented in release notes.
> 
> 