Working on a log in script to my webpage

[Steve Holden]

Pete..... wrote:
> I better mention, that I rather make it all in python and html (found out 
> that python somehow works with asp)
> 
> I know that what I have to do is the following:
> 
> 1) When the user logs in, I have to store a session ID in a cookie

In actual fact it's best not to wait until the user logs in: every 
request that comes in for the service should be examined for the cookie 
(which the browser will always return once it's received it). If there's 
no cookie then the server should include one in its response.

That way, each session is identified by a unique cookie value, which can 
be used (among other things) to locate any state that's associated with 
the sessions (such as a "who is this user" variable).

> 2) When page1 is loaded(upon correctly entered username/password) the cookie 
> has to be sent to page 1 and on page one there should be a tjeck to see if 
> the cookies has the right values.

Not quite: the cookie (retained on the client and sent to the server 
with each request) just identifies the session, and the session state 
storage (maintained on the server, one per active session) holds the 
information about the session like whether the user has logged in, 
what's in their shopping cart, and so on.

Each page (or, if you are using an application framework like Webware, 
the framework) can examine state memory to determine whether the 
conditions for access have been met, and redirect to an error page if 
not. For this purpose ASP maintained a "Session" object for each 
session's state memory.

> 3) everytime a page is loaded, there has to be a tjeck, to see if the 
> cookies has the right value, if not the page shouldt be loaded, and the user 
> should be redirected back to login page.
> 
Almost, see above.

> It does sound very easy to make: Create a store-holder(cookies), create a 
> session ID upon log in, tjeck if it is the right sessionID in the cookies 
> everytime a page is loaded, if not redirect back to log in page.
> 
> But eventhough it sounds easy, I cant quite get the hold of if..
> 
> I tried googling, but didnt really find anything, that helpfull...
> 
It's true that there isn't actually much on the web that explains 
sessions with specific reference to Python. I can, however, after quite 
a lot of searching, thoroughly recommend

   http://webapparch.sourceforge.net/

for an overview of what happens in a session-oriented web service. I 
would suggest you start with Section 8, and then read the whole thing, 
or at least all parts that interest you.

> Any more advice...
> 
Of course usually some mechanism supported by the specific server in use 
is involved.

   http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/65110

does show how to generate session IDs, but then you have to deliver them 
as cookies (of course, for security reasons you don't want session IDs 
to be easily guessed, as this would allow someone to "hijack" an 
existing session by impersonating a browser holding the right cookie value).

If you are prepared to read a bit of PHP (sorry ...) then

   http://www.phpbuilder.com/columns/paul20020729.php3

explains the details of session maintenance sufficiently clearly that 
you would get a good idea of how to implement the same ideas in Python.


> Once again thanks for your time....
> 
> Sincerly
> Pete
[...]

You're welcome.

regards
  Steve