cgi - secure sessions
Paul Rubin
http
Wed Feb 1 20:27:36 EST 2006
infini.g at gmail.com writes:
> I was just wondering if / how would it be possible to create secure
> sessions for a website using Python CGI... I thought of using cookies,
> and things looked promising for a while; I could login through a form
> which pointed to a cgi script which created sent the user cookies,
Yes, that's the usual way: send a cookie containing either the session
ID or the session data, and read it back on the server side. Be very
careful about what you put in the cookie: if it's a session ID, it
should be a long random string, not a session number like 37 (if you
use consecutive numbers, someone can change their number and take over
someone else's session). If it's more complex session data, validate
it carefully on the server side, maybe by authenticating it with
something like the hmac module.
More information about the Python-list
mailing list