No Cookie: how to implement session?

bruno at modulix onurb at xiludom.gro
Wed Mar 29 03:56:01 EST 2006 

Sullivan WxPyQtKinter wrote:
>  I do not want to use Cookies in my site since not all web browser
> support it well and sometimes people close cookie functioning for
> security reasons.

Too bad for them. The only other way to support session is by encoding
the session id in the request, and it's much more of a security hole
than cookies.

> I tried to add hidden field with a sessionID in every python CGI script
> generated web pages, so everytime my client POST a request,

POST is for submitting data to the server. The method for retrieving
data from the server is GET.

> the server
> will retrieve the sessionID and decide if it is in the same session.
> However, since python cgi do not have a function for redirecting to a
> page, I use Location: url http head 

How do you think redirections are implemented in frameworks that have
syntactic sugar for this ? At the HTTP level, redirections are done by
sending the corresponding status code and headers. And writing your own
redirect() function is pretty trivial.

> or <body
> onload="document.location=\'%s\'"></body> javascript  for
> redirecting.

And you don't want to use cookies ? Lol.

> in this case, hidden field could not be used any more.
> 
> Really wish python would have session management or equivalent in
> standard CGI module~~~~

*Please* take some time to understand how HTTP (and CGI) works - it will
save you a lot of time.

HTTP is a *stateless* protocol, which means that the server itself
forget everything about a request as soon as it is done handling it. So
a request must provide *all* necessary informations. The *only* way to
maintain some kind of 'session' with HTTP is to make sure the client
passes the needed session identifier back to the server. And the 2 only
ways to do it are to :
1/ use a cookie
2/ put the identifier in the request (usually in the query string part
of the url).

The fact that Python's CGI module doesn't offer out of the box support
for sessions has no relation with how sessions work.

BTW, you may want to have a look at Webstack, which provides a common
API over cgi, mod_python, and some other deployment solutions. This is a
pretty boring API (no magic, nothing fancy, nothing sexy etc), but it's
somewhat higher-level than plain CGI and it offers support for sessions
(yes, with cookies - like 99,99% of web programming solutions).


-- 
bruno desthuilliers
python -c "print '@'.join(['.'.join([w[::-1] for w in p.split('.')]) for
p in 'onurb at xiludom.gro'.split('@')])"

More information about the Python-list mailing list