A few comments: - User ID is very different from Visitor ID, all users are visitors; but the reverse isn't always true. Visitor ID does not require any authentication, where User ID probably will. Therefore, I think they should be handled completely independently.
- Visitor ID is very similar (if not identical to?)... Session? Where session has with it an expiration date, an IP address associated with the visitor, etc. So, perhaps this should just be called 'session' ? - I've written a simple signed-cookie mechanism for storing the WSGI REMOTE_USER and REMOTE_SESSION environment variables and any other environment variables you wish; signed cookies do timeout automatically and are "cluster friendly". It is implemented and tested. (http://svn.w4py.org/Paste/trunk/paste/auth/cookie.py) If TurboGears is already using paste, it is a no brainer: 1. Include paste.auth.cookie in your WSGI application chain toward the very bottom. If you're running a cluster, make sure to set the ``secret`` parameter; if not, it will be set for you automatically. 2. If the environ['REMOTE_SESSION'] is not set, then mint a new session identifier and set the environment variable. 3. Have your application check environ['REMOTE_SESSION'] and use the value (the session identifier) to find the shopping cart object, etc. 4. (optionally), use environ['REMOTE_USER'] for user authentication (see paste.auth.* for various authentication methods such as HTTP Digest, etc.) I hope this helps. Best, Clark P.S. Please use [EMAIL PROTECTED] to reply to me if needed.
