[tbnl-devel] Re: TBNL Example

Edi Weitz edi at agharta.de
Fri Feb 25 20:33:56 UTC 2005 

Hi Lukas!

Please use the mailing list for further questions and comments.
Thanks.

On Fri, 25 Feb 2005 11:55:18 +0000, Lukas Trejtnar <l.trejtnar at open.ac.uk> wrote:

> I have been using the mod_lisp module for a couple of years where I
> written a Lisp counterpart myself. I didn't implement a
> session/cookie management and because of that would like to start
> using your TBNL library. It looks like a great piece of work.

Thanks... :)

> I was reading through a documentation of TBNL and not sure about
> testing session expiration. My scenario would be a login page where
> a user would authorise and a new session would be created, then a
> user would browse pages and the session would be every time checked
> if it didn't expire. If it did, a user would be redirected to the
> login page. It's a standard scenario, I guess. Here comes my
> question.
>
> How do I hook up 'session expires' to the authorisation? After
> reading the documentation, I assume, that I would modify a value of
> *session-removal-hook* to redirection function. Is it how you
> designed it? Do you have any practical examples?

I'm not sure I fully understand your question, or maybe we're talking
about different things.

If you're using TBNL's session facility you don't have to keep track
of session expiry yourself - TBNL will do that for you.  If you have
the same idea about session expiry that TBNL has, that is.  Each
session object has a slot which holds the number of seconds this
session is valid without user interaction - see the docs for
SESSION-MAX-TIME.[1]  If the user is idle longer than this period then
the session will be automatically invalidated.  This doesn't necessary
mean that the session object is garbage-collected at this point but it
/does/ mean that you can't access the session object anymore,
i.e. TBNL will behave as if there had never been a session object.

In other words: Usually you shouldn't have to care about
*SESSION-REMOVAL-HOOK*, it's a finalizer kind of thing that's rarely
useful.

Now, sessions aren't necessarily related to authorization but they can
be used for it.  One approach that I've been using is the following:
After a successful login the server stores some kind of object in the
session which "proofs" that the user is authorized, like this:

   (setf (session-value 'user) (make-foo-object))

Then I can wrap all pages requiring authorization into a macro that
looks like this (untested):

   (defmacro with-authorization (&body body)
     `(cond ((is-foo-object (session-value 'user))
             , at body)
            (t (redirect "/login-page.html"))))

Does that answer your question?

Cheers,
Edi.

PS: I'll be away for two days so I probably won't answer before
    monday.

[1] Just noticed that the default value (30 minutes) isn't documented
    and *SESSION-MAX-TIME* isn't exported.  This'll be fixed in a
    future release.

More information about the Tbnl-devel mailing list