Hey,
I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies, but
I found that when a script to detect the cookies was run through a
server side include line in the html, it couldn't get any cookies, but
it would work fine when run directly through the browser (which is
useless to me).
If anybody could help with this it would be great. Python is the only
programming language that I'm relatively comfortable in at the moment,
so using the usual PHP or Javascript just isn't an option for me
unfortunately.
GazaM
12  3497  in******@gmail.com wrote: Hey,
I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies, but
I found that when a script to detect the cookies was run through a
server side include line in the html, it couldn't get any cookies, but
it would work fine when run directly through the browser (which is
useless to me).
If anybody could help with this it would be great. Python is the only
programming language that I'm relatively comfortable in at the moment,
so using the usual PHP or Javascript just isn't an option for me
unfortunately.
GazaM
For what it's worth, mod_python supports sessions: http://www.modpython.org/live/curren...yapi-sess.html
I've been playing with them recently, and they seem to work. :-)
-Kirk McDonald in******@gmail.com writes: I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies,
Yes, that's the usual way: send a cookie containing either the session
ID or the session data, and read it back on the server side. Be very
careful about what you put in the cookie: if it's a session ID, it
should be a long random string, not a session number like 37 (if you
use consecutive numbers, someone can change their number and take over
someone else's session). If it's more complex session data, validate
it carefully on the server side, maybe by authenticating it with
something like the hmac module.
wow, those were some seriously quick replies, thanks. I understand that
cookies is the best way to do things, but I didn't explain my problem
well, sorry.
Basically, I have a blog in the works and I want to have an online
interface for posting. What I have is a cgi script run through a server
side include line in the html, which looks for the session cookie, if
it is present will say 'logged in as "user"' and if the cookie isn't
there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible? I need to use an include
line instead of pointing to the script and making it output full html
as there are various other scripts run in the html as well, plus I am
hoping to use the cookie-detection script in other ways than just the
home page...
Again, any help is appreciated.
GazaM
GazaM wrote: What I have is a cgi script run through a server
side include line in the html, which looks for the session cookie, if
it is present will say 'logged in as "user"' and if the cookie isn't
there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible?
Python has a built-in Cookie module: http://www.python.org/doc/2.4.2/lib/module-Cookie.html
It may simplify matters.
-Kirk McDonald
"GazaM" <in******@gmail.com> writes: there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible?
Usually the httpd (i.e. web server) saves the cookie data as
environment variables that the cgi can see. What httpd are you using?
"Server side includes" used to mean something specific, a very old
dynamic html scheme that nobody uses much any more. I'm presuming
your cgi is written in Python. Have you looked at the cgi module docs?
Kirk: I'm using the Cookie module to create/send/read the cookies. The
problem is that I can't read session cookies when running the script
from a server side include line.
Paul: By server side include I mean simply calling upon the script from
an include line within the html, for example '<!--#include
virtual="/cgi-bin/cookietest.cgi" -->'
GazaM
"GazaM" <in******@gmail.com> writes: Paul: By server side include I mean simply calling upon the script from
an include line within the html, for example '<!--#include
virtual="/cgi-bin/cookietest.cgi" -->'
Try printing the contents of os.getenv() in your script and see
if the cookie data is in there.
GazaM wrote: wow, those were some seriously quick replies, thanks. I understand that
cookies is the best way to do things, but I didn't explain my problem
well, sorry.
Basically, I have a blog in the works and I want to have an online
interface for posting. What I have is a cgi script run through a server
side include line in the html, which looks for the session cookie, if
it is present will say 'logged in as "user"' and if the cookie isn't
there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible? I need to use an include
line instead of pointing to the script and making it output full html
as there are various other scripts run in the html as well, plus I am
hoping to use the cookie-detection script in other ways than just the
home page...
logintools is a Python CGI framework for logins and account management.
You could also 'overload' the account management to provide session
management if you want. (You'd have to be careful if the user could
potentially run more than one session simultaneously - maybe I can
build support into logintools for this).
It includes functions to *tell* if a user is logged in, and can also
automatically divert the user to a login page if you want.
It uses HTML templates so you can customise the appearance of the pages
it generates. It will handle sign-ups (you can allow new sign-ups or
not), user account management, and adminastrative account management.
You can also choose whether to use session cookies (only exists whilst
the same browser window is open - after that the user must login), or
set a length of time the cookie is valid for.
http://www.voidspace.org.uk/python/logintools.html
I'm happy to provide support via the Pythonutils mailing list :
http://groups.google.com/group/pythonutils
The best place to start might be an example application, like protected
page :
http://www.voidspace.org.uk/python/cgi.shtml
This doesn't use the features to tell you if the user is logged in (it
just prevents access to the application if the user isn't logged in -
and presents them with a login page). It's a good place to start
though.
All the best,
Fuzzyman
http://www.voidspace.org.uk/python/index.shtml
Again, any help is appreciated.
GazaM
Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?
GazaM wrote: Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?
That's more normal. logintools has templates in a directory and outputs
pages based on those. That's what all the 'tempalting engine'
discussion going on at the moment is about.
On the other hand, you can have static html pages with forms that call
the CGI. The CGI will still have to return HTML though.
logintools itself uses an *ultra simple* templating system - just
replacing special values in the template with the dynamically generated
values. There is no logic in the tempaltes whatsoever.
All the best,
Fuzzyman http://www.voidspace.org.uk/python/index.shtml
GazaM wrote: Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?
That's more normal. logintools has templates in a directory and outputs
pages based on those. That's what all the 'tempalting engine'
discussion going on at the moment is about.
On the other hand, you can have static html pages with forms that call
the CGI. The CGI will still have to return HTML though.
logintools itself uses an *ultra simple* templating system - just
replacing special values in the template with the dynamically generated
values. There is no logic in the templates whatsoever.
All the best,
Fuzzyman http://www.voidspace.org.uk/python/index.shtml
GazaM wrote: Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?
I'm not sure if you can 'include' a CGI and expect the reults to get
included in a page (although I think I've heard of PHP being used in
that way.)
It doesn't sound like it's working for you anyway.
All the best,
Fuzzyman http://www.voidspace.org.uk/python/index.shtml This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Wes |
last post by:
I have sessions working where individual users have their own person
information and can't view others personal info... The problem is, the
sessions block them in php but I can't block them from...
|
by: ojorus |
last post by:
Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server...
|
by: opt_inf_env |
last post by:
Hello,
I have a page such that each user can see only a corresponding
(personal) part of the page. In the beginning I wanted to perform
initialization of users (by asking there names and...
|
by: |
last post by:
Please help.
After a number of wrong turns and experiments I need advice on login
management system to secure our web pages without inconveniencing our
visitors or our internal staff.
What I...
|
by: Seth |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of...
|
by: Daniel Malcolm |
last post by:
Hi
I have a site where I would like some pages to be accessed via SSL (login
and payment etc) and others via regular http. However I'm not sure whether
Session state can be maintained between...
|
by: Notgiven |
last post by:
I am considering a large project and they currently use LDAP on MS platform.
It would be moved to a LAMP platform. OpenLDAP is an option though I have
not used it before. I do feel fairly...
|
by: frizzle |
last post by:
Hi group,
I need a login system for some 'private' pages.
Users should be pulled from a mysql DB.
Now, i've read a lot on login systems, and somehow there's _always_
the discussion with...
|
by: knal |
last post by:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
