Re: No Cookie: how to implement session?

---

• From: "I V" <wrongbad@xxxxxxxxx>
• Date: 29 Mar 2006 13:32:27 -0800

---

Sullivan WxPyQtKinter wrote:

As you said, ....There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?

As people have said, this isn't a limitation of python, it's a feature
of HTTP. You might want to consider whether you actually need sessions
- see if you can design your application to use REST (see e.g.
http://www.xfront.com/REST-Web-Services.html , or there's lots of
information on Google).

People have also mentioned this in passing, but third alternative to
cookies and hidden fields is to use a session key in the query string -
this can be used for GET requests, so would work in redirects as well
as form submissions. Try:

http://yoursite.example/page?session=key

Then you need to remember, whenever you include a link to your site
that should retain the session information to add the session key to
the URL. You could define a function:

def session_url(url, key, **params={}):
qstring = "%s=%s" % ('session', urllib.quote(key))
for (name, value) in params.items():
qstring += "&%s=%s" %(urllib.quote(name), urllib.quote(value))
return qstring

And use it like:

#Do redirect
print "Location: " + session_url('new_page', session_key)

Or:

# Redirect to a page that loads the item called 'anitem'
print "Location: " + session_url('new_page', session_key, {'item',
'anitem'})

If you want to link to this URL in an HTML page, you need to remember
to escape the '&' character:

print "<a href='%s'>Edit item %s</a>" % (cgi.escape(session_url('edit',
session_key, {'item', item_name})), item_name)

Then, if you need to submit a form, you can add the key as a hidden
field.

.

---

• References:
  • No Cookie: how to implement session?
    • From: Sullivan WxPyQtKinter
  • Re: No Cookie: how to implement session?
    • From: Sullivan WxPyQtKinter

• Prev by Date: Re: Convert Word .doc to Acrobat .pdf files
• Next by Date: Re: Command line option -Q (floor division)
• Previous by thread: Re: No Cookie: how to implement session?
• Next by thread: Re: No Cookie: how to implement session?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: hidden fields? ... if your page responds with a redirect, you are sending back to the browser ... your hidden field are of no use, ... I'd use a Cache or cookies, but this is sensitive information (not ... (microsoft.public.dotnet.framework.aspnet) Re: Proof of Concept Tool on Web Application Security ... Now I am testing Cross-Site Scripting to steal the client cookies, ... One way of transferring cookie information from the victim's machine to ... information to that hidden field & then post this hidden field to ... But this require interaction of victim, ... (Pen-Test) Re: Passing value from page to page ... I try with hidden field but my second page just validate and ... 'This passes everything in the request.form collection to a querystring. ... Redirect = "redirect.asp?" ... (microsoft.public.inetserver.asp.general) Re: Perl & Sessions? ... > hidden field and then use this to identify the user. ... > in a table with a date/time stamp that I update whenever I hear from ... > including reject cookies and maintain multiple sessions. ... Are all requests to your system POST ... (comp.lang.perl.misc) Re: Perl & Sessions? ... >>including reject cookies and maintain multiple sessions. ... anything that made the cookie approach simpler than passing a session ... > really is no logging in or logging out per se. ... but why is an MD5 digest in a hidden field ... (comp.lang.perl.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

coding.derkeiler.com  > Archive  > Python  > comp.lang.python  > 2006-03