Mod_python, jsonrpc and sessions

lkcl luke.leighton at googlemail.com
Wed Jan 14 22:19:47 CET 2009


On Jan 14, 4:47 pm, p3dda.a... at googlemail.com wrote:
> Hi,
>
> I've got a python web-application being served by apache via
> mod_python, in which the users sessions are tracked via the mod_python
> Session module.
> Some of websites generated contain a java-script function which starts
> a jsonrpc call to the same server and gets further data or stores
> something to a database (AJAX). The server-sided jsonrpc functions are
> written in python as ServiceMethods.
>
> As I need to identify the user issuing the rpc call, I'm wondering if
> there is any possibility to access the session created by the
> previosly called mod_python Handler-method. In mod_python it is
> accessed using the mod_python request object, but in the rpc
> servicemethod I don't have such an object. So how can I track the rpc
> caller?

 the only way to store "session" info reliably is: cookies.

 therefore, the code in one part of the application _will_ have to
store a session cookie as an identifier, and you can track the name of
that cookie through the source code that created it.  or look in the
source code for anything beginning with the word "session".  "grep -
ril" is your friend.

 also, if the app stores its session authentication information in a
database, you can look through the app for the database table name.

 if you don't _know_ the database table name, and are having
difficulty finding out because the design of the app is SHITE then you
can do a dump of the database _before_ a session login, and a dump
afterwards, and then diff is your friend.  if the database is mysql,
add --extended-insert=no (something like that) to the mysqldump
command otherwise you will have a bitch-awful job identifying the
right line.

 i've done this when working with fricking-joomla, integrating it with
django.  fireboard.  i had to hunt through the php code looking for
the database user-session.

 once you have the session info, that's your "user tracking" function
in the rpc calls.

 none of the above is particularly rocket science - or actually
anything to do with python: it's a simple matter of applying
investigative techniques logically working from how the technology
_should_ work and then bludgeoning it into submission to tell you what
the hell's going on.

l.



More information about the Python-list mailing list