No Cookie: how to implement session?

Paul Rubin http
Tue Mar 28 14:30:05 EST 2006


Dennis Lee Bieber <wlfraed at ix.netcom.com> writes:
> 	Yes... And watch them flounder on sites that use cookies /for/ a
> form of security (ie, those sites that require logins...) Cookies can be
> set to expire, so the "session" can time-out... whereas...

Sites should never rely on cookies timing out.  If there's any
security concern about session persistence and you don't want to track
the session timeout on the server, then encode an expiration time into
the cookie itself, and cryptographically authenticate the cookie.

> > I tried to add hidden field with a sessionID in every python CGI script
> > generated web pages, so everytime my client POST a request, the server

The trouble here is that it stops internal links (retrieved with GET
rather than POST) from working.  So normally what you're describing is
done with session ID's in the url (see amazon.com for example).  That,
too, isn't so great for security, especially for ecommerce sites,
since people tend to share url's with their friends.  E.g., they'll
post to Usenet or web bbs's, So-and-so is offering a great deal on
Python manuals, the url is <http://whatever...> where "whatever"
includes the session ID.  Anyone clicking the url then ends up with
the same shopping cart as the person who posted it.

To OP: keep in mind also that anyone who disables cookies probably
also disables javascript, so relying on javascript as you described
for redirection doesn't work too well either.



More information about the Python-list mailing list