Aurum uses Pyramid. I am not familiar with Pyramid but it's very flexible because unlike Django, Pyramid does not come with a User system by default when you activated the setup. It just doesn't. You can create a User model and use the Session abstraction built into Pyramid (and the Auth policy that comes with Pyramid).
As a Django user, I don't need to worry about how session was managed. It just works for each user. Now I knew I have to care about it.
I still don't know much about the whole architecture, but basically I was using pyramid-beaker and added a key to session. But the next time I access session and asks to read the key, it raises KeyError.
I made this post, and I am not embarrassed to show. I actually have several Stackoverflow accounts.
Why is that? As the answer pointed out, to get the same session back, it needs to have the same cookies. That's pretty much the way to identity "oh so I see you again."
Then I asked myself: what if I lose that cookies or cookies changed? Wouldn't that mean I will lose the session information? My requirement is to store user actions into the session / cache so I can retrieve them on demand.
When a user runs the code, we do short-polling at the moment to requests "build, run, generate report". Each of these steps will require / make some ids or status code. I need to keep track of these things. I can't afford asking GCS "oh by the way can you please give me that build_id again?" Instead, I can go right into session / cacher and ask "given this task id, what's the build_id if any?"
What about use memcache and forget about session. Make a key/value pair in memcache that uses the task id and when we request the resource could look like /aurum/api/task/status/<task_id>
That's how we do it currently. But that's really bad. Any one with this task id can actually query the status. If I knew my classmate is really smart, and I knew he did it right. I am going to steal that task id as he's running it, and then put it in my javascript, then when I make the next request, it will blindly asks for <my-friend-task-status> because the task id is his. What's next? When it's completed, I get all green on my test output and a big fat 100 for my homework!!!!
Session is the way to go. With cookies, there is a barrier over getting that cookies. I am not sure whether copying a cookies over to a new browser will actually invalidate the cookies. It might? But with session, I can guarantee that anyone who looks that this session and using the data from this session are the user who created this session last time.
So I am sticking with Session, although I still prefer to use Memcache because it looks more professional? I don't know.
No comments:
Post a Comment