Best way to handle cgi sessions
Christoph Haas
email at christoph-haas.de
Fri Oct 14 16:37:48 EDT 2005
On Friday 14 October 2005 21:22, Derek Perriero wrote:
> What would be the best way to create a cgi session that contains the
> basic elements of a cookie and can also hold secure data, such as a
> username/password. I've explored the possibilities of using SmartCookie,
> but that doesn't encrypt my parameters.
Encrypting the parameters is probably not the best way. Usually you store
the information you need in your own database and just pass the client
(web browser/user) a handle (session ID). That way you temporarily identify
the user through the session ID but can store data in your database that
the
user cannot even see.
There are a few things you need to take care of like:
- only pass a new session cookie if necessary
(otherwise the user may be prompted to accept the same cookie time and
again)
- expire the session if the user hasn't been using it
- check if the session ID fits the IP address you recorded
- create unique session IDs
A link from my list of bookmarks about session handling:
http://starship.python.net/~davem/cgifaq/faqw.cgi?req=show&file=faq02.011.htp
We have recently developed such a session handler for a Debian-related web
site which uses a MySQL table to store session information. If there is
interest I'll tidy it up a bit and make it publicly available.
Cheers
Christoph
--
~
~
".signature" [Modified] 1 line --100%-- 1,48 All
More information about the Python-list
mailing list