I do not want to use Cookies in my site since not all web browser
support it well and sometimes people close cookie functioning for
security reasons.
I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request, the server
will retrieve the sessionID and decide if it is in the same session.
However, since python cgi do not have a function for redirecting to a
page, I use Location: url http head or <body
onload="documen t.location=\'%s \'"></body> javascript for
redirecting.in this case, hidden field could not be used any more.
Really wish python would have session management or equivalent in
standard CGI module~~~~
9  4170 
Dennis Lee Bieber <wl*****@ix.net com.com> writes: Yes... And watch them flounder on sites that use cookies /for/ a
form of security (ie, those sites that require logins...) Cookies can be
set to expire, so the "session" can time-out... whereas...
Sites should never rely on cookies timing out. If there's any
security concern about session persistence and you don't want to track
the session timeout on the server, then encode an expiration time into
the cookie itself, and cryptographical ly authenticate the cookie. I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request, the server
The trouble here is that it stops internal links (retrieved with GET
rather than POST) from working. So normally what you're describing is
done with session ID's in the url (see amazon.com for example). That,
too, isn't so great for security, especially for ecommerce sites,
since people tend to share url's with their friends. E.g., they'll
post to Usenet or web bbs's, So-and-so is offering a great deal on
Python manuals, the url is <http://whatever...> where "whatever"
includes the session ID. Anyone clicking the url then ends up with
the same shopping cart as the person who posted it.
To OP: keep in mind also that anyone who disables cookies probably
also disables javascript, so relying on javascript as you described
for redirection doesn't work too well either.
As you said, ....There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?
Dennis Lee Bieber 写道: On 28 Mar 2006 09:40:24 -0800, "Sullivan WxPyQtKinter"
<su***********@ gmail.com> declaimed the following in comp.lang.pytho n:
I do not want to use Cookies in my site since not all web browser
support it well and sometimes people close cookie functioning for
security reasons.
Yes... And watch them flounder on sites that use cookies /for/ a
form of security (ie, those sites that require logins...) Cookies can be
set to expire, so the "session" can time-out... whereas...
I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request, the server
This would imply that a client could start a session today, and
finally submit tomorrow... There's no real time-out capability unless
you run some background timer thread for each "session ID"...
will retrieve the sessionID and decide if it is in the same session.
However, since python cgi do not have a function for redirecting to a
page, I use Location: url http head or <body
Isn't redirect normally the responsibility of the web server
/before/ invoking the CGI script itself? I'll concede I'm weak on that
level of detail.
Really wish python would have session management or equivalent in
standard CGI module~~~~
The standard CGI module is only the lowest common base for dynamic
web pages. The technology goes back decades, possibly even predating
cookies. Look at the name: Common Gateway Interface... It's a building
block responsible for getting submitted form data, as passed by the web
server environment, and returning generated data -- the interface
between an application and the web server. All else must be built on top
of it -- hence separate modules for Cookie control, etc.
-- > =============== =============== =============== =============== == <
> wl*****@ix.netc om.com | Wulfraed Dennis Lee Bieber KD6MOG <
> wu******@dm.net | Bestiaria Support Staff <
> =============== =============== =============== =============== == <
> Home Page: <http://www.dm.net/~wulfraed/> <
> Overflow Page: <http://wlfraed.home.ne tcom.com/> <
Sullivan WxPyQtKinter <su***********@ gmail.com> wrote: As you said, ....There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?
Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.
Alex al*****@yahoo.c om (Alex Martelli) writes: Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.
That so many people do this is partly the fault of browsers. Until
recently, there was no way to configure most browsers to accept all
cookies but treat them as ephemeral (dispose of them when you close
the browser). Your choices were:
1) accept all cookies; non-ephemeral ones would persist on your hard disk
2) accept only ephemeral cookies: ones marked non-ephemeral would be
ignored
3) ignore ALL cookies
Choice #1 enables invasive long-term user tracking that is not
necessary for mere session persistence.
Choice #2 stops the long-term tracking, but session cookies get
ignored if they have an expiration date (that makes them
non-ephemeral). That stops most session cookies from working. This
choice was available in some versions of Netscape Communicator but I
don't think MS Explorer had it.
Choice #3 stops sessions from working all the time.
What you really want is for your browser to accept all cookies
including persistent ones, but the cookie at the end of the session
regardless of the requested expiration date. Firefox can do that and
it's the setting that I use. I don't know if other browsers can do it yet.
Sullivan WxPyQtKinter wrote: I do not want to use Cookies in my site since not all web browser
support it well and sometimes people close cookie functioning for
security reasons.
Too bad for them. The only other way to support session is by encoding
the session id in the request, and it's much more of a security hole
than cookies.
I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request,
POST is for submitting data to the server. The method for retrieving
data from the server is GET.
the server
will retrieve the sessionID and decide if it is in the same session.
However, since python cgi do not have a function for redirecting to a
page, I use Location: url http head
How do you think redirections are implemented in frameworks that have
syntactic sugar for this ? At the HTTP level, redirections are done by
sending the corresponding status code and headers. And writing your own
redirect() function is pretty trivial.
or <body
onload="documen t.location=\'%s \'"></body> javascript for
redirecting.
And you don't want to use cookies ? Lol.
in this case, hidden field could not be used any more.
Really wish python would have session management or equivalent in
standard CGI module~~~~
*Please* take some time to understand how HTTP (and CGI) works - it will
save you a lot of time.
HTTP is a *stateless* protocol, which means that the server itself
forget everything about a request as soon as it is done handling it. So
a request must provide *all* necessary informations. The *only* way to
maintain some kind of 'session' with HTTP is to make sure the client
passes the needed session identifier back to the server. And the 2 only
ways to do it are to :
1/ use a cookie
2/ put the identifier in the request (usually in the query string part
of the url).
The fact that Python's CGI module doesn't offer out of the box support
for sessions has no relation with how sessions work.
BTW, you may want to have a look at Webstack, which provides a common
API over cgi, mod_python, and some other deployment solutions. This is a
pretty boring API (no magic, nothing fancy, nothing sexy etc), but it's
somewhat higher-level than plain CGI and it offers support for sessions
(yes, with cookies - like 99,99% of web programming solutions).
--
bruno desthuilliers
python -c "print '@'.join(['.'.join([w[::-1] for w in p.split('.')]) for
p in 'o****@xiludom. gro'.split('@')])"
Dennis Lee Bieber <wl*****@ix.net com.com> writes: Do we have the same dictionary?
Ephemeral, as in "mayflies are ephemeral", means "of short life"...
A cookie with a built-in expiration would, to my mind, be "ephemeral"
Ephemeral cookies in web-head jargon are cookies with no specified
expiration date, so they go away when you close the browser. Cookies
with expiration dates persist until that date (which admittedly might
be just a few seconds away but usually is much longer) if the server
side programmer gets what s/he wants. Usually, the expiration date is
WAY in the future, i.e. the server is either trying to set a
persistent login credential (ok, if the user wants it) or is trying to
do invasive user tracking (not good: see the recent news stories about
the court case around the US government trying to get Google search
logs, and then remember that Google sets a cookie that tries to
correlate all of any user's searches with each other).
Firefox control has:
Keep cookies: until they expire
until I close Firefox
Yes, it took a very long time to get some browser to implement it.
There's a huge and hairy thread about it in bugzilla.mozill a.com
somewhere asking why Communicator didn't do it.
In article <1h************ *************** *@yahoo.com>,
Alex Martelli <al*****@yahoo. com> wrote:
Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.
OTOH, there are too many sites out there that mandate persistent sessions
for no good reason. NetFlix being a canonical example (before logging
in, that is). Sites should degrade gracefully in the absence of cookies
unless they are absolutely essential for site operation.
--
Aahz (aa**@pythoncra ft.com) <*> http://www.pythoncraft.com/
"Look, it's your affair if you want to play with five people, but don't
go calling it doubles." --John Cleese anticipates Usenet
Sullivan WxPyQtKinter wrote: As you said, ....There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?
As people have said, this isn't a limitation of python, it's a feature
of HTTP. You might want to consider whether you actually need sessions
- see if you can design your application to use REST (see e.g. http://www.xfront.com/REST-Web-Services.html , or there's lots of
information on Google).
People have also mentioned this in passing, but third alternative to
cookies and hidden fields is to use a session key in the query string -
this can be used for GET requests, so would work in redirects as well
as form submissions. Try: http://yoursite.example/page?session=key
Then you need to remember, whenever you include a link to your site
that should retain the session information to add the session key to
the URL. You could define a function:
def session_url(url , key, **params={}):
qstring = "%s=%s" % ('session', urllib.quote(ke y))
for (name, value) in params.items():
qstring += "&%s=%s" %(urllib.quote( name), urllib.quote(va lue))
return qstring
And use it like:
#Do redirect
print "Location: " + session_url('ne w_page', session_key)
Or:
# Redirect to a page that loads the item called 'anitem'
print "Location: " + session_url('ne w_page', session_key, {'item',
'anitem'})
If you want to link to this URL in an HTML page, you need to remember
to escape the '&' character:
print "<a href='%s'>Edit item %s</a>" % (cgi.escape(ses sion_url('edit' ,
session_key, {'item', item_name})), item_name)
Then, if you need to submit a form, you can add the key as a hidden
field.
Aahz <aa**@pythoncra ft.com> wrote: In article <1h************ *************** *@yahoo.com>,
Alex Martelli <al*****@yahoo. com> wrote:
Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.
OTOH, there are too many sites out there that mandate persistent sessions
for no good reason. NetFlix being a canonical example (before logging
in, that is). Sites should degrade gracefully in the absence of cookies
unless they are absolutely essential for site operation.
I entirely agree with you -- do you mean netflix just won't work if I
try to visit it, not log in, with cookies disabled in my browser?!
Alex This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: bagsmode |
last post by:
Hi,
I'm trying to set a session cookie and then redirect, however I get the
error:
Status: 302 Moved Location: /index.cgi
I thought I recall getting an error like this when I first tried
performing a redirect when I had left in
print "Content-type:text/html\n\n";
|
by: M Wells |
last post by:
Hi All,
Just wondering how you go about changing the value of a session cookie
via javascript?
I have a PHP page that sets a session cookie when it first loads. I'd
like to be able to change the value of that session cookie in response
to a button click in a form, without resubmitting the page.
For some reason, the following doesn't seem to work:
|
by: Christoph Pieper |
last post by:
Hi,
we've the following problem :
We have an asp-application which sets the cookie on first login. The cookie
will never be touched during user access. The user can work the whole day,
but after 6 to 7 hours, the cookie get 2-4 new asp-sessionid's thus
overwriting the very first entries in the cookie. Does anyone had the same
problem or has a solution. The server is a w2003 enterprise the client has
windows xp sp2.
|
by: Karsten Grombach |
last post by:
Hi,
I'm trying the following:
- Imitate a Logon using a Post with HttpWebRequest on remote Webserver (asp
3.0 page using https)
- On success redirect to the page (encapsuled in an iframe) supplied by the
remote Webserver
I can successfuly logon but when I redirect to the supplied url, the
webserver does not know me anymore an redirects me back to login page.. I
|
by: briand |
last post by:
I have the following code in my base page to redirect to a session timeout
page.
override protected void OnInit(EventArgs e)
{
base.OnInit(e);
//It appears from testing that the Request and Response both share the
| | |
by: Doug |
last post by:
An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on
"search.mydomain.com"; hence, a new session and cookie are being created on
every sub-domain.
This is occuring because ASP.NET always sets the Session cookie domain to
the full domain (e.g. "www.mydomain.com") instead of the parent domain (e.g.
"mydomain.com")
The problem with this is when the visitor goes to a different sub-domain
(e.g. "search.mydomain.com"),...
|
by: Edwin Knoppert |
last post by:
I have searched but info is limitted.
In my test app i used a non persistant cookie for forms authentication.
slidingExpiration is set to true
On run and close and rerun the login remains ok.
I have a time-out of one minute and indeed, it directs me to the login if i
wait to long.
The slidingExpiration does it's work also.
|
by: Phil Powell |
last post by:
// OBTAINED FROM http://www.javascripter.net/faq/settinga.htm
// NOTE THAT IF YOU SET days TO -1 THE COOKIE WILL BE SET TO YESTERDAY
AND THUS EXPIRE
function setCookie(name, value, days, docObj) {
var today = new Date();
var expire = new Date();
if (days == null || isNaN(days) || days == 0) days = 1;
if (days >= 1 || days < 0) expire.setTime(today.getTime() + 3600000 *
24 * days);
|
by: joseph conrad |
last post by:
Hi,
I tried to implement my own session handler in order to keep control on
the process
the drawback I foun it is not creating and storing in my cookie the
PHPSESSID variable anymore.
reading te documentation it seems it should do it anyway
any advice?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupr who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
