[Flask] Usage of session and g variables
Federico Delgado Doyle
fededelgado at outlook.com
Mon Sep 21 23:45:23 CEST 2015
+100 to what Jeff said. Let someone else run with the risks of payment information/handling.
More related to your question about session and g. If you must use anything sensitive on the session, be sure to use server side storage and have nothing travelling inside the cookie except for the session identifier (which I also would recommend to regenerate at appropriate points to avoid any session pinning).
Federico
From: jeff at jeffwidman.com
Date: Mon, 21 Sep 2015 13:48:02 -0700
To: flask at python.org
Subject: Re: [Flask] Usage of session and g variables
If at all possible, avoid credit card data ever directly touching your server.
It's a huge security risk that's really, really hard to get right, plus there's a bunch of hoops related to PCI compliance.
Instead if you're rolling your own shopping cart, just use something like Stripe's javascript for the actual payment processing so that the credit card data goes straight from the client to Stripe's servers, and then you only need store the callback from Stripe that the customer's payment 'succeeeded', without actually storing the underlying data.
ᐧ
On Mon, Sep 21, 2015 at 10:44 AM, Jonathan Chen <tamasiaina at gmail.com> wrote:
Sessions will persist through secured cookies while the g variable only persist with each request. So for a shopping cart a session object would be better to use.
If you wanted to store temporarily information like for instance a credit card or something similar you can put it in the g variable to be process the credit card information later.
~Jonathan C.
On Mon, Sep 21, 2015 at 10:11 AM, Corey Boyle <coreybrett at gmail.com> wrote:
I can't answer your question directly, but maybe you could get some
inspiration from this.
http://satchless.com/
On Mon, Sep 21, 2015 at 12:39 PM, Kyle Lawlor <klawlor419 at gmail.com> wrote:
> Hi, all.
>
>
> I am currently in the process of designing a website for a friends
> restaurant. I am planning to deploy the website through Heroku. I am just
> hoping to keep the costs down for my friend and learn a few things.
>
> I want to create a portion of the website that can be used for online
> checkout. I aiming for something similar to any ordering application, i.e.
> grubhub. I have some of the website together, I will post a link to its git
> repository below.
>
> One thing I have been struggling to understand with Flask is the use of
> session variables and global (g) variables. My purpose is to create a
> shopping cart, where I can store what a user wants to order.
>
> So far I have tried creating a standard python array and a variable within
> the view function for the orders page. This is in principle to store which
> items the user selects and to store the total price. The items selected and
> the total price are then rendered appropriately. The obvious problem with
> this method is that the objects are cleared after each request. So the item
> selected and the total price only reflects the previous request.
>
> One way to get around this is to create a global variable outside of the
> route for a given view function. I believe this is incorrect because it
> stores the data even after I go elsewhere on the site.
>
> Creating session variables or global variables for that matter and then
> updating them as selections are made seems to have the same issue as using
> python storage variables within the view function. Please see these links
> for the view function I am talking about.
>
> Declaration of variables (using the g object in this case):
> https://github.com/callmeskywalker/casa-sabor/blob/master/app/main/views.py#L40
> Here is where I look for the user to add an item, and attempt to store the
> data:
> https://github.com/callmeskywalker/casa-sabor/blob/master/app/main/views.py#L97
>
> I am at point now where I am not sure that the usage of session and g
> variables are what I am trying to use them for. I wonder if this is now a
> case where using a database is the technically correct/better thing to do.
>
> My questions are:
> Is my use of global variables problematic?
> Is there a way to use session and/or g for this purpose?
> Am I better off using a database for storing this data?
>
> Please keep in mind I brand new to using flask and web development in
> general. I look forward to hearing back to any responses. Feel free to cover
> basics of web development, because I am sure that I am missing some.
>
> If anyone is interested or wants to see the website in action, here is the
> entire git repository:
> https://github.com/callmeskywalker/casa-sabor
>
>
> Thanks, Kyle
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
>
_______________________________________________
Flask mailing list
Flask at python.org
https://mail.python.org/mailman/listinfo/flask
_______________________________________________
Flask mailing list
Flask at python.org
https://mail.python.org/mailman/listinfo/flask
--
Jeff Widmanjeffwidman.com | 740-WIDMAN-J (943-6265) <><
_______________________________________________
Flask mailing list
Flask at python.org
https://mail.python.org/mailman/listinfo/flask
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20150921/b4a774c7/attachment.html>
More information about the Flask
mailing list