Best way to handle cgi sessions

Christoph Haas email at christoph-haas.de
Fri Oct 14 22:37:48 CEST 2005


On Friday 14 October 2005 21:22, Derek Perriero wrote:
> What would be the best way to create a cgi session that contains the
> basic elements of a cookie and can also hold secure data, such as a
> username/password. I've explored the possibilities of using SmartCookie,
> but that doesn't encrypt my parameters.

Encrypting the parameters is probably not the best way. Usually you store
the information you need in your own database and just pass the client
(web browser/user) a handle (session ID). That way you temporarily identify
the user through the session ID but can store data in your database that 
the
user cannot even see.

There are a few things you need to take care of like:
- only pass a new session cookie if necessary
  (otherwise the user may be prompted to accept the same cookie time and
  again)
- expire the session if the user hasn't been using it
- check if the session ID fits the IP address you recorded
- create unique session IDs

A link from my list of bookmarks about session handling:
http://starship.python.net/~davem/cgifaq/faqw.cgi?req=show&file=faq02.011.htp

We have recently developed such a session handler for a Debian-related web
site which uses a MySQL table to store session information. If there is
interest I'll tidy it up a bit and make it publicly available.

Cheers
 Christoph
-- 
~
~
".signature" [Modified] 1 line --100%--                1,48         All




More information about the Python-list mailing list