I admit to a bit of speculation here, but remember that cookies apply to
an entire tree. It may be that, because you turned on sessions at the
"/" level, the cookie is sent with the domain as "/". In that case,
that one cookie will be shared among all apps at that level and below.
Perhaps you could try:
conf = {
"/app/": {'tools.sessions.on': True},
"/app2/": {'tools.sessions.on': True }
}
but that's just speculation.
> 3) i tried the setCookie/readCookie example, http://www.cherrypy.org/wiki/Cookies,
> where cookie['root_app']['max-age'] = 3600. yet, firefox has Expires:
> at end of session, which, sure enough is the case. shut down/start up
> browser and there's no cookie left.
>
Were you doing this by itself, or did you have sessions turned on?
> 4) i always thought that seesions differe from cookies in that they
> don't write to the client. yet, it seems that cherrypy does write a
> cookie to the client, which leads me to the question: what's the
> difference between a session and a cookie in cp? ... probably should
> have asked that right at the beginning :)
>
A "session" is just a concept. It is a way to store information that
can be passed from request to request. In order to provide session
functionality to client apps, web frameworks have to be able to know
which HTTP requests are related. That can be done in several ways. One
way is to embed a session ID in each URL. The easiest way is to send
the session ID in a cookie.
So, it's not like "sessions" and "cookies" are alternatives to each
other. Rather, cookies are just one mechanism for implementing sessions.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.
Well, it is a bit muddier. Sessions are a place to stick data
(server-side). Cookies are a place to stick data (client-side). You can
use either for almost anything. But often, the only thing you stick in
the cookie is a (secure) pointer/identifier to the session.
Robert Brewer
fuma...@aminus.org
displayAddedFriendsProfile();
displayAddedFriendsProfile
The answer is "half yes," not "BIG YES". Yes, you can read cookies from
Javascript. However, a session variable is stored within the CherryPy
process on the server side. It is not transmitted to the client. The
cookie is just a way for CherryPy to go find the stored session data for
this session
>
> 2) Since sessions use cookies for implementation why not use cookies
> directly?
Do you mean, for session data? Because the entire contents of each
cookie for the site are sent by the browser with EVERY request it makes
from your web site. If your HTML code has references to 20 little GIF
images, the cookies will be transmitted 21 times. Since session data
can potentially be large, the disadvantage should be obvious.
basic_auth authentication has nothing to do with either cookies or
sessions. Remember that basic_auth works with straight HTML pages,
where there is no scripting at all. It is a separate, private
communication between the web server and the browser. There is no way
from the server side (that I am aware of) to force a basic_auth login to
expire.
If you want logins to expire, you need to throw out basic_auth
authentication and do the authentication yourself, by remembering the
validated user name in your session variable. That way, when you force
your cookie to expire, your remembered login name will go away, and you
can bring up your own login page.
> things got worse when i tried to correlate a session with ah html form
> submission.
>
I don't understand that. Once you have a cookie-based session, you
should have your session data available for every request, either GET or
POST.
It's a good idea to turn off sessions on your static-serving
subdirectories unless you absolutely need them.
That said, there are other reasons you wouldn't want to send the
session data in the actual cookie. You probably don't want someone
tampering with the data in the cookie and then sending it back. That
might do Bad Things to your app. Rails uses cookies as session
stores, but it encrypts the data, thus making reading it on the
client-side not possible (unless you do decryption client-side as
well, and then you're back to square one).
So yeah, what Tim said - keep your sessions on the server.
Christian
http://www.dowski.com
Well. AFAIK Rails only sign session cookies, but does not encyrpt them (as
opposed to ex. beaker, which can do both). This means the cookie can be read,
but not tampered with. The data in the cookie looks like garbage only because
of Ruby serialization format, which is less readable than python's pickle.
--
Paweł Stradomski
Let's don't overestimate the problem.
> Say I have a user logged into my system. I store his user ID in a client
> cookie. I am using a lot of ajax for data going back and forth, the page
> almost never refreshes. Does this mean the cookie is going to be thrown
> about between the client and the server like a squash ball in a squash
> court?
Every request from the browser will contain the cookie. The response will only
contain it if it changes.
Also note, that you can not trust the data that comes from the cookie - it
should be treated as possibly malicious, just like data in the POST body and
query string. So I'd rather store the user id in the session, not in the
cookie, or use signed cookies (there is no built-in support for that in
cherrypy, although it can be easily done).
> If it is expensive, then what can I use to maintain state on the client
> side? Eq if a user is logged in how do i track it. Also if the session
> handling is on the server side, and I cannot access it on the client side,
> then should I be using my templating engine in this case mako to access
> server side variables and then using javascript to access those variables
> to make choices on the client side.
If both client and server need to know the same shared state, then something
is probably wrong. I've never needed to access cookie data in the javascript.
>
> SHould I be using javascript sessions and cookies? Are these different from
> cherrypy sessions and cookies? Are they more economical to use?
There are no javascript sessions. After a page is reloaded, all javascript
state is dropped for the reloaded frame/window. There are no javascript
cookies - it's just that javascript can access the cookie data that is
transferred to and from the server.
> Sorry about so many questions, but this is getting confusing given that we
> have cherrypy, mako, javascript, and two varieties of sessions and cookies
--
Paweł Stradomski
Why? The mechanism to read and set cookies is there in JS, there's
nothing wrong with using it.
> Normally I would just have passed the variable fro, the server to the client
> as a straight variable. The complication is in using AJAX where I return one
> variable from the server and the variable contains the response to the AJAX
> request. So I use responseText in javascript to gather that. This means I
> cannot send back other variables to the server in an ajax call. I could add
> them in the one variable that i am sending back to the client and parse it
> in javascript to extract it. But thats doing too much.It seems inelegant and
> goes against the pythonic objective of being lazy :). So if I can only pass
> one variable from the server to the client in an ajax call, then i need to
> put the other variables that i need to pass to the client somewhere else.
There is absolutely no restriction that says you can pass only one
variable in the result. Packing up a lot of data in a string and then
parsing it is quite common practice. I'd recommend using JSON, as
parsing it on the client side requires nothing more than a call to
eval(). Also, if you are using some JS-library, most of them have
conveniece methods for making an Ajax call and parsing the result as a
JSON string.
To create JSON on the server side, look up simplejson.
> For now i have put it in a cookie which i look up in the javascript. Do you
> think this is a valid approach or should i be :
> 1) Putting it in a session and getting that in javascript. But you are
> saying javascript cannot pick up server session variables so this seems out.
The "session" is an dictionary on the server side. These dictionaries
are identifed with the session id, which is stored in a cookie. So
unless you specificly stuff all your session data in cookies yourself,
the session ID is really the only thing you can access from JS.
Needless to say, that is of little use on the client side.
> 2) Putting it with the single variable i am returning from the client to the
> server. The single variable contraint seems to happen in ajax where the
> client uses that variable as "responseText". Then proceed to parse of client
> side and do a bunch of inelegant hacking.
> Am I missing a really simple straight solution here?
Yes, the standard practice today is indeed to serialize everything
into a string, read it from responseText and parse it into individual
variables. As mentioned above, JSON makes this trivial.
cheers,
Arnar
That's not what I meant at all. Cookies that only contain a session id
are cheap. No reason not to use them.
Robert Brewer
fuma...@aminus.org
My favourite right now is jQuery: http://jquery.com/
If you like Python, MochiKit is also pretty good: http://mochikit.com/
cheers,
Arnar
You are choosing to misunderstand what is being said here. There is no
heavy lifting. Come on -- do the math. An "id" cookie is typically a
dozen or two bytes. Unless you are running on a 300 baud modem, adding
two dozen bytes to each HTTP request represents an insignificant
additional burden on your bandwidth. Even if you are getting 1,000
requests a second, a 32-byte cookie isn't going to be noticed.
The facts are simple. If you hope to maintain any kind of session
state, then you must find a way to uniquely identify all requests from a
given client. To do that, you must induce the client to send you some
kind of unique identifier with each request. To do THAT, you can
either do it yourself, by adding to the URL or using a variable in each
POST, or you can use a cookie. In either case, you are adding rouhgly
the same number of bytes to each request. There is no free lunch.
Once you accept that, you can look at the available alternatives.
Cookies are ubiquitous and automatic. Because of that, I think they are
an excellent way to go.
> Arnar, so parsing the string seems like the way to go. I will look up
> json. Am trying to avoid yet another frameworkin the mix. I am
> managing with straight javascript. I have written all the ajax and
> everything directly. But i guess it wouldnt hurt to explore whats out
> there in terms of js frameworks.Any recommendations for good frameworks?
Be very careful about tightly coupling your Javascript and your server
code. It's very easy to make such a combination complicated and
delicate. Browsers are unpredictable. Also remember that, if you hope
to appeal to a wide audience, a certain percentage of your users will
have Javascript disabled. In that case, you need to think about having
your site work even without AJAX.
I tend to fall back to AJAX only as a last resort. Round-trip times
today are typically good enough that most sites don't absolutely require it.
I just finished reading and writing a report on "Dojo - The Definitive Guide"
by O'Reilly. All of the server-side code examples use cherrypy.
I predict that as time goes by, there will be a greater demand for client-side
scripting and a comparative reduction in demand for server-side scripting.
I wish I were wrong, 'cuz I really like python and don't like coding in
javascript.
regards
Tim Johnson
Alaska Internet Solutions
Yes, I agree, for a couple of additional reasons.
Complexity is not a good thing. Synchronous web applications are
simple. Simple to understand, simple to construct. The
one-request-one-answer paradigm puts a very tight limit on the amount of
state that's dangling around and the number of paths that the app can
take, all of which makes it possible to write even large applications
that are relatively easy to understand, and are self-contained enough
that they can be proven correct. At the turn of the century, I was
actually migrating many of my desktop applications to web applications
because this simplicity was so compelling.
Adding AJAX to the mix ruins that. Even if you are a programming
wizard, and I immodestly count myself in that group, AJAX makes things
freakin' complicated. You are now deeply involved in client/server
programming, with complicated inter-process communication. (Yes,
technically a CGI script is part of a client/server communication, but
that's all hidden from me.) State is split between the server and the
client in ways that are not yet standardized and somewhat difficult to
secure.
Perhaps, in a couple of years, the web world will standardize on a basic
AJAX library, so that the browser becomes less of a blank slate and more
of a standardized toolkit. At that point, dynamic web applications will
be fun again.
On Tue, Sep 9, 2008 at 22:37, Tim Roberts <ti...@probo.com> wrote:
> Yes, I agree, for a couple of additional reasons.
>
> Complexity is not a good thing. Synchronous web applications are
> simple. Simple to understand, simple to construct. The
> one-request-one-answer paradigm puts a very tight limit on the amount of
> state that's dangling around and the number of paths that the app can
> take, all of which makes it possible to write even large applications
> that are relatively easy to understand, and are self-contained enough
> that they can be proven correct. At the turn of the century, I was
> actually migrating many of my desktop applications to web applications
> because this simplicity was so compelling.
>
> Adding AJAX to the mix ruins that. Even if you are a programming
> wizard, and I immodestly count myself in that group, AJAX makes things
> freakin' complicated. You are now deeply involved in client/server
> programming, with complicated inter-process communication. (Yes,
> technically a CGI script is part of a client/server communication, but
> that's all hidden from me.) State is split between the server and the
> client in ways that are not yet standardized and somewhat difficult to
> secure.
I've in fact taken the opposite direction. Many of my newer apps
utilized the browser as a GUI platform only, while application logic
took place on the server and communication between them was through
some ad-hoc json-based API. This works pretty well and results in more
intuitive and responsive web appliations in my case.
Decoupling front- and back-ends of applications is not a new concept,
and is even favored in many circumstances. I don't see why
web-applications can't use methods and paradigms developed throughout
the years. What matters is a clean interface (API) between the
frontend and the backend, which is relatively easy to design in many
cases. Once you get in the habit of thinking of the browser as GUI
platform loosely coupled with the appliation itself, things can
actually work out quite nicely. The browser needs not keep any state,
except for presentation purposes, and certainly not between page
requests (I use "page requests" to distinguish from ajax requests).
With Python on the server side and JS (preferably some library) on the
client side, it is also easy to set up a small API framework where it
is easy to clearly define the interface between the browser and the
server. The web application then becomes two parts, one is the part
serving up pages - which become few and stupid, essentially dealing
mostly with authentication and serving up bytes, and on the other hand
an application programming interface. If this is correctly designed,
the API can even be used by richer client frameworks or other servers
(I've used this quite a bit with server-to-server communication where
two seperate webapps delegate some services to each other).
My point is, Javascript is here to stay, and can be quite useful in
the right context. If you are building an actual web-application, as
opposed to a website mainly as a marketing tool or an information
source, there is in my opinion no harm today to say "This website uses
Javascript, please turn it on."
cheers,
Arnar
Gloria
On Tue, Sep 9, 2008 at 23:10, Gloria W <stra...@comcast.net> wrote:
> Google is attempting to standardize on JSON transaction models, which is
> interesting:
> http://code.google.com/apis/protocolbuffers/
> If proper AJAX support is added, this could be useful on the server
> side. It may also turn out to be too bloated, ruining the elegance and
> simplicity of JSON.
ProtocolBuffers are not meant to replace JSON, they are just an
efficient binary serialization format. The main thing that seperates
ProtocolBuffers from other formats is version independence of
messages, i.e. as long as you follow some simple rules for updating
message descriptions, old messages remain valid on new descriptions
and vice versa. Apart from that, PB can be likened to Adobe's AMF.
If browser start supporting ProtocolBuffers natively and provide the
interface for it to JS, they might very well become a good alternative
to JSON, XML or ad-hoc text formats, but I think Google's intentions
are different for now. HTTP performance is still the bottleneck so
there is little to gain from more efficient data formats.
cheers,
Arnar
This is an interesting point. In actual fact, AJAX is never a user
requirement. A proper specification will never say "the site must use
AJAX". Instead, the specification will talk about the user experience,
and acceptable response times, and things like that. It might be that
the requirements can only be achieved today by using AJAX, but they also
might be possible through some simpler means.
By the way, I've enjoyed this thread very much. My AJAX dabbling has
always been rather frustrating, and I have appreciated learning about
the design philosophies expressed here.
Ajax is just javascript. Thus if javascript
is enabled, ajax is enabled (given the codebase)
> By the way, I've enjoyed this thread very much. My AJAX dabbling has
> always been rather frustrating, and I have appreciated learning about
> the design philosophies expressed here.
dojo advertises that any discrepancies between browsers is handled by
it's libraries - including client/server communication (ajax) and ancillary
issues,
plus dom navigation. We've decided to start using it where necessary -
at least on a test basis
> It might be that
> the requirements can only be achieved today by using AJAX, but they also
> might be possible through some simpler means.
- And I'm open to that. I've also noted that Craig's List seems to be a very
successful site and it uses _very_ simple approaches. I would think that
a customized server + good server handling might be an acceptable alternative.
Tim