Mailing List Archive: Securly storing variables without session in zope

Hi,

I want to store values in variables to access form another page(a.k.a State management).
Now I cannot use sessions since I have multiple Zope instances & if one fails the user need to be redirected to another Zope instance and one session is valid only for one Zope instance.
Now my remaining options are
1)submit a Hidden input tag using POST method 2)Passing through URL with GET method 3)Using cookies 4)Using Database(which i think is 'making simple things complex'.)
I am not even considering the first 2 methods and I think using cookies is not secure.
So is there a commercial or open source module that can securely(encryption etc) do cookie Management.
if not I will have to use database.
Please inform me,if I am missing something.
Version - Zope 2.11.1

Regards
Jibin

On Tuesday 14 June 2011, Jibin K.J wrote:
> Hi,
>
> I want to store values in variables to access form another page(a.k.a
> State management). Now I cannot use sessions since I have multiple Zope
> instances & if one fails the user need to be redirected to another Zope
> instance and one session is valid only for one Zope instance. Now my
> remaining options are

You can share the session over zeo between all your zope servers.

in your zeo.conf file you can put

<temporarystorage temp>
name temporary storage for sessioning
</temporarystorage>

and in your zope.conf put

<zodb_db temporary>
# Temporary storage database (for sessions)
cache-size xxxx
<zeoclient>
server xxxxxxx
storage temp
name session
var $INSTANCE/var
cache-size 0
</zeoclient>
mount-point /temp_folder
container-class Products.TemporaryFolder.TemporaryContainer
</zodb_db>

My zopes and zeo are on the same machine and for that I found that setting the
cache-size to 0 inside zeoclient worked the best

I would also suggest connecting to zeo over a unix domaind socket instead of a
port for speed and security reasons if zope and zeo are on the same machine.

If you setup a unix domain socket you would set server to

server /path/to/my.soc

and in the zeo.conf you would do

address $INSTANCE/my.soc

call it whatever you want

At that points sessions will be shared over zeo. I have been using this for
over a year now without a single problem.

Also with this design you can restart your zope servers and as long as the zeo
server running the session stuff remains running you lose no session data.

What I do is not bind any visitor to any zope server at all. I have nginx
running in front of 4 zope servers doing load balancing and requests get
distributed to all zope servers and the session is shared over zeo. For my
setup this gave the best performance and reliability. That way there is no
need to worry about setting up sticky sessions, you can restart any instance
at any time with no interruptions.
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )