This file is indexed.

/usr/share/pyshared/zope.session-3.9.4.egg-info/PKG-INFO is in python-zope.session 3.9.4-0ubuntu3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
Metadata-Version: 1.1
Name: zope.session
Version: 3.9.4
Summary: Client identification and sessions for Zope
Home-page: http://pypi.python.org/pypi/zope.session
Author: Zope Foundation and Contributors
Author-email: zope-dev@zope.org
License: ZPL 2.1
Description: This package provides interfaces for client identification and session
        support and their implementations for zope.publisher's request objects.
        
        
        .. contents::
        
        Sessions
        ========
        
        Sessions provide a way to temporarily associate information with a
        client without requiring the authentication of a principal.  We
        associate an identifier with a particular client. Whenever we get a
        request from that client, we compute the identifier and use the
        identifier to look up associated information, which is stored on the
        server.
        
        A major disadvantage of sessions is that they require management of
        information on the server. This can have major implications for
        scalability.  It is possible for a framework to make use of session
        data very easy for the developer.  This is great if scalability is not
        an issue, otherwise, it is a booby trap.
        
        Design Issues
        -------------
        
        Sessions introduce a number of issues to be considered:
        
        - Clients have to be identified. A number of approaches are possible,
          including:
        
          o Using HTTP cookies. The application assigns a client identifier,
            which is stored in a cookie.  This technique is the most
            straightforward, but can be defeated if the client does not
            support HTTP cookies (usually because the feature has been
            disabled).
        
          o Using URLs.  The application assigns a client identifier, which is
            stored in the URL.  This makes URLs a bit uglier and requires some
            care. If people copy URLs and send them to others, then you could
            end up with multiple clients with the same session
            identifier. There are a number of ways to reduce the risk of
            accidental reuse of session identifiers:
        
            - Embed the client IP address in the identifier
        
            - Expire the identifier
        
          o Use hidden form variables.  This complicates applications. It
            requires all requests to be POST requests and requires the
            maintenance of the hidden variables.
        
          o Use the client IP address
        
            This doesn't work very well, because an IP address may be shared by
            many clients.
        
        - Data storage
        
          Data can be simply stored in the object database. This provides lots
          of flexibility. You can store pretty much anything you want as long
          as it is persistent. You get the full benefit of the object database,
          such as transactions, transparency, clustering, and so on.  Using
          the object database is especially useful when:
        
          - Writes are infrequent
        
          - Data are complex
        
          If writes are frequent, then the object database introduces
          scalability problems.  Really, any transactional database is likely
          to introduce problems with frequent writes. If you are tempted to
          update session data on every request, think very hard about it.  You
          are creating a scalability problem.
        
          If you know that scalability is not (and never will be) an issue,
          you can just use the object database.
        
          If you have client data that needs to be updated often (as in every
          request), consider storing the data on the client.  (Like all data
          received from a client, it may be tainted and, in most instances,
          should not be trusted. Sensitive information that the user should
          not see should likewise not be stored on the client, unless
          encrypted with a key the client has no access to.)  If you can't
          store it on the client, then consider some other storage mechanism,
          like a fast database, possibly without transaction support.
        
          You may be tempted to store session data in memory for speed.  This
          doesn't turn out to work very well.  If you need scalability, then
          you need to be able to use an application-server cluster and storage
          of session data in memory defeats that.  You can use
          "server-affinity" to assure that requests from a client always go
          back to the same server, but not all load balancers support server
          affinity, and, for those that do, enabling server affinity tends to
          defeat load balancing.
        
        - Session expiration
        
          You may wish to ensure that sessions terminate after some period of
          time. This may be for security reasons, or to avoid accidental
          sharing of a session among multiple clients.  The policy might be
          expressed in terms of total session time, or maximum inactive time,
          or some combination.
        
          There are a number of ways to approach this.  You can expire client
          ids. You can expire session data.
        
        - Data expiration
        
          Because HTTP is a stateless protocol, you can't tell whether a user
          is thinking about a task or has simply stopped working on it.  Some
          means is needed to free server session storage that is no-longer needed.
        
          The simplest strategy is to never remove data. This strategy has
          some obvious disadvantages.  Other strategies can be viewed as
          optimizations of the basic strategy.  It is important to realize that
          a data expiration strategy can be informed by, but need not be
          constrained by a session-expiration strategy.
        
        
        
        Zope3 Session Implementation
        ============================
        
        Overview
        --------
        
        .. CAUTION::
            Session data is maintained on the server. This gives a security
            advantage in that we can assume that a client has not tampered with
            the data.  However, this can have major implications for scalability
            as modifying session data too frequently can put a significant load
            on servers and in extreme situations render your site unusable.
            Developers should keep this in mind when writing code or risk
            problems when their application is run in a production environment.
        
            Applications requiring write-intensive session implementations (such
            as page counters) should consider using cookies or specialized
            session implementations.
        
        Sessions allow us to fake state over a stateless protocol - HTTP.
        We do this by having a unique identifier stored across multiple
        HTTP requests, be it a cookie or some id mangled into the URL.
        
        
        The `IClientIdManager` Utility provides this unique id. It is
        responsible for propagating this id so that future requests from
        the client get the same id (eg. by setting an HTTP cookie). This
        utility is used when we adapt the request to the unique client id:
        
            >>> client_id = IClientId(request)
        
        The `ISession` adapter gives us a mapping that can be used to store
        and retrieve session data. A unique key (the package id) is used
        to avoid namespace clashes:
        
            >>> pkg_id = 'products.foo'
            >>> session = ISession(request)[pkg_id]
            >>> session['color'] = 'red'
        
            >>> session2 = ISession(request)['products.bar']
            >>> session2['color'] = 'blue'
        
            >>> session['color']
            'red'
            >>> session2['color']
            'blue'
        
        
        Data Storage
        ------------
        
        The actual data is stored in an `ISessionDataContainer` utility.
        `ISession` chooses which `ISessionDataContainer` should be used by
        looking up as a named utility using the package id. This allows
        the site administrator to configure where the session data is actually
        stored by adding a registration for desired `ISessionDataContainer`
        with the correct name.
        
            >>> import zope.component
            >>> sdc = zope.component.getUtility(ISessionDataContainer, pkg_id)
            >>> sdc[client_id][pkg_id] is session
            True
            >>> sdc[client_id][pkg_id]['color']
            'red'
        
        If no `ISessionDataContainer` utility can be located by name using the
        package id, then the unnamed `ISessionDataContainer` utility is used as
        a fallback. An unnamed `ISessionDataContainer` is automatically created
        for you, which may replaced with a different implementation if desired.
        
            >>> ISession(request)['unknown'] \
            ...     is zope.component.getUtility(ISessionDataContainer)[client_id]\
            ...         ['unknown']
            True
        
        The `ISessionDataContainer` contains `ISessionData` objects, and
        `ISessionData` objects in turn contain `ISessionPkgData` objects. You
        should never need to know this unless you are writing administrative
        views for the session machinery.
        
            >>> ISessionData.providedBy(sdc[client_id])
            True
            >>> ISessionPkgData.providedBy(sdc[client_id][pkg_id])
            True
        
        The `ISessionDataContainer` is responsible for expiring session data.
        The expiry time can be configured by settings its `timeout` attribute.
        
            >>> sdc.timeout = 1200 # 1200 seconds or 20 minutes
        
        
        Restrictions
        ------------
        
        Data stored in the session must be persistent or picklable.
        
            >>> session['oops'] = open(__file__)
            >>> import transaction
            >>> transaction.commit()
            Traceback (most recent call last):
                [...]
            TypeError: can't pickle file objects
        
        Clean up:
        
            >>> transaction.abort()
        
        
        Page Templates
        --------------
        
        Session data may be accessed in page template documents using TALES::
        
            <span tal:content="request/session:products.foo/color | default">
                green
            </span>
        
        or::
        
            <div tal:define="session request/session:products.foo">
                <script type="text/server-python">
                    try:
                        session['count'] += 1
                    except KeyError:
                        session['count'] = 1
                </script>
        
                <span tal:content="session/count" />
            </div>
        
        
        Session Timeout
        ---------------
        
        Sessions have a timeout (defaulting to an hour, in seconds).
        
            >>> import zope.session.session
            >>> data_container = zope.session.session.PersistentSessionDataContainer()
            >>> data_container.timeout
            3600
        
        We need to keep up with when the session was last used (to know when it needs
        to be expired), but it would be too resource-intensive to write the last access
        time every, single time the session data is touched.  The session machinery
        compromises by only recording the last access time periodically.  That period
        is called the "resolution".  That also means that if the last-access-time +
        the-resolution < now, then the session is considered to have timed out.
        
        The default resolution is 10 minutes (600 seconds), meaning that a users
        session will actually time out sometime between 50 and 60 minutes.
        
            >>> data_container.resolution
            600
        
        
        CHANGES
        =======
        
        3.9.4 (2011-03-07)
        ------------------
        
        - Added an explicit `provides` to the IClientId adapter declaration in
          adapter.zcml.
        
        - Added option to disable implicit sweeps in
          PersistentSessionDataContainer.
        
        
        3.9.3 (2010-09-25)
        ------------------
        
        - Added test extra to declare test dependency on ``zope.testing``.
        
        - Using Python's ``doctest`` module instead of depreacted
          ``zope.testing.doctest``.
        
        
        3.9.2 (2009-11-23)
        ------------------
        
        - Fix Python 2.4 hmac compatibility issue by only using hashlib in
          Python versions 2.5 and above.
        
        - Use the CookieClientIdManager's secret as the hmac key instead of the
          message when constructing and verifying client ids.
        
        - Make it possible to construct CookieClientIdManager passing cookie namespace
          and/or secret as constructor's arguments.
        
        - Use zope.schema.fieldproperty.FieldProperty for "namespace" attribute of
          CookieClientIdManager, just like for other attributes in its interface.
          Also, make ICookieClientIdManager's "namespace" field an ASCIILine, so
          it accepts only non-unicode strings for cookie names.
        
        
        3.9.1 (2009-04-20)
        ------------------
        
        - Restore compatibility with Python 2.4.
        
        
        3.9.0 (2009-03-19)
        ------------------
        
        - Don't raise deprecation warnings on Python 2.6.
        
        - Drop dependency on ``zope.annotation``. Instead, we make classes implement
          `IAttributeAnnotatable` in ZCML configuration, only if ``zope.annotation``
          is available. If your code relies on annotatable `CookieClientIdManager`
          and `PersistentSessionDataContainer` and you don't include the zcml classes
          configuration of this package, you'll need to use `classImplements` function
          from ``zope.interface`` to make those classes implement `IAttributeAnnotatable`
          again.
        
        - Drop dependency on zope.app.http, use standard date formatting function
          from the ``email.utils`` module.
        
        - Zope 3 application bootstrapping code for session utilities was moved into
          zope.app.appsetup package, thus drop dependency on zope.app.appsetup in this
          package.
        
        - Drop testing dependencies, as we don't need anything behind zope.testing and
          previous dependencies was simply migrated from zope.app.session before.
        
        - Remove zpkg files and zcml slugs.
        
        - Update package's description a bit.
        
        
        3.8.1 (2009-02-23)
        ------------------
        
        - Add an ability to set cookie effective domain for CookieClientIdManager.
          This is useful for simple cases when you have your application set up on
          one domain and you want your identification cookie be active for subdomains.
        
        - Python 2.6 compatibility change. Encode strings before calling hmac.new()
          as the function no longer accepts the unicode() type.
        
        
        3.8.0 (2008-12-31)
        ------------------
        
        - Add missing test dependency on ``zope.site`` and
          ``zope.app.publication``.
        
        
        3.7.1 (2008-12-30)
        ------------------
        
        - Specify i18n_domain for titles in apidoc.zcml
        
        - ZODB 3.9 no longer contains
          ZODB.utils.ConflictResolvingMappingStorage, fixed tests, so they
          work both with ZODB 3.8 and 3.9.
        
        
        3.7.0 (2008-10-03)
        ------------------
        
        New features:
        
        - Added a 'postOnly' option on CookieClientIdManagers to only allow setting
          the client id cookie on POST requests.  This is to further reduce risk from
          broken caches handing the same client id out to multiple users. (Of
          course, it doesn't help if caches are broken enough to cache POSTs.)
        
        
        3.6.0 (2008-08-12)
        ------------------
        
        New features:
        
        - Added a 'secure' option on CookieClientIdManagers to cause the secure
          set-cookie option to be used, which tells the browser not to send the
          cookie over http.
        
          This provides enhanced security for ssl-only applications.
        
        - Only set the client-id cookie if it isn't already set and try to
          prevent the header from being cached.  This is to minimize risk from
          broken caches handing the same client id out to multiple users.
        
        
        3.5.2 (2008-06-12)
        ------------------
        
        - Remove ConflictErrors caused on SessionData caused by setting
          ``lastAccessTime``.
        
        
        3.5.1 (2008-04-30)
        ------------------
        
        - Split up the ZCML to make it possible to re-use more reasonably.
        
        
        3.5.0 (2008-03-11)
        ------------------
        
        - Change the default session "resolution" to a sane value and document/test it.
        
        
        3.4.1 (2007-09-25)
        ------------------
        
        - Fixed some meta data and switch to tgz release.
        
        
        3.4.0 (2007-09-25)
        ------------------
        
        - Initial release
        
        - Moved parts from ``zope.app.session`` to this packages
        
Keywords: zope3 session
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Zope Public License
Classifier: Programming Language :: Python
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Framework :: Zope3