On 08 May 2002, Michael Watkins said:
> Regarding "Never Trust The Client", I couldn't agree more.  What I was
> suggesting for CGI use was persisting only the session_id to a cookie, the
> application data (prefs) and the session_id to the database, and on each
> request doing a test of the two.

OK, good, I was just making sure.  You never know what might happen.
(Heck, there's code in the Python standard library that puts a pickle in
a cookie, which is just so utterly completely wrong on so many
levels...)

> Before I go on, to be clear, I'm using SCGI for my staging and production
> environments and CGI only for testing. I was hoping to implement session
> tracking for my local testing in such a way that the bulk of the
> application could would remain the same in either environment. I use a cgi
> driver just for simplicity and speed of the edit / test cycle. I edit and
> test on W2K box, and periodically I move all my code to my staging server
> and re-test there.

Right.  The big catch is that Quixote's non-persistent standard session
manager is useless when used with CGI, because everything is lost with
the CGI process when its one request is handled.  You either need
persistent sessions or a long-lived process.  This really needs to be
documented.  ;-(

        Greg