Session Extension

[amcgregor]

Provide a generalized and extensible session service provider. (An extension that extends the context.)

The API should be Beaker-ish, that is, a UserDict subclass with additional attributes:

• id — the session identifier, whatever it may be. (E.g. a 40 character SHA.)
• last_accessed — the UTC datetime the session was last loaded, None if new
• save() — mark the session for saving at the end of the request (w/ autosave configuration)
• persist() — immediately commit the session to the back-end
• delete() — expire the session and call the back-end to clean up
• invalidate() — delete the current session then immediately create a new one

Two internal keys should be provided and maintained:

• _accessed_time — the UTC datetime the session was loaded
• _creation_time — the UTC datetime the session was created

Back-ends:

• memory — in-memory sessions
• cookie — pure cookie sessions (crypto!)
• user — simplified callbacks (a la web.auth)
• disk — very simple on-disk sessions
• beaker — the full power of beaker

[amcgregor]

Also, optional transaction support for rolling sessions back on error.

[agronholm]

Disagree about the backends. My list of backends:

• memory (for development)
• disk
• sqlalchemy
• mongodb
• redis

Pure cookie sessions are not worth the effort IMO, because they can't be invalidated. Or they can, but would require a server-side revocation list, which would completely defeat the purpose.

[agronholm]

Unless of course the point is to have the authentication layer refresh the user info on every request?