No Cookie: how to implement session?

Dennis Lee Bieber <wl*****@ix.netcom.com> writes:

Yes... And watch them flounder on sites that use cookies /for/ a
form of security (ie, those sites that require logins...) Cookies can be
set to expire, so the "session" can time-out... whereas...

Sites should never rely on cookies timing out. If there's any
security concern about session persistence and you don't want to track
the session timeout on the server, then encode an expiration time into
the cookie itself, and cryptographically authenticate the cookie.

I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request, the server

The trouble here is that it stops internal links (retrieved with GET
rather than POST) from working. So normally what you're describing is
done with session ID's in the url (see amazon.com for example). That,
too, isn't so great for security, especially for ecommerce sites,
since people tend to share url's with their friends. E.g., they'll
post to Usenet or web bbs's, So-and-so is offering a great deal on
Python manuals, the url is <http://whatever...> where "whatever"
includes the session ID. Anyone clicking the url then ends up with
the same shopping cart as the person who posted it.

To OP: keep in mind also that anyone who disables cookies probably
also disables javascript, so relying on javascript as you described
for redirection doesn't work too well either.

As you said, ....There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?
Dennis Lee Bieber 写�：

On 28 Mar 2006 09:40:24 -0800, "Sullivan WxPyQtKinter"
<su***********@gmail.com> declaimed the following in comp.lang.python:

I do not want to use Cookies in my site since not all web browser
support it well and sometimes people close cookie functioning for
security reasons.

Yes... And watch them flounder on sites that use cookies /for/ a
form of security (ie, those sites that require logins...) Cookies can be
set to expire, so the "session" can time-out... whereas...

I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request, the server

This would imply that a client could start a session today, and
finally submit tomorrow... There's no real time-out capability unless
you run some background timer thread for each "session ID"...

will retrieve the sessionID and decide if it is in the same session.
However, since python cgi do not have a function for redirecting to a
page, I use Location: url http head or <body

Isn't redirect normally the responsibility of the web server
/before/ invoking the CGI script itself? I'll concede I'm weak on that
level of detail.

Really wish python would have session management or equivalent in
standard CGI module~~~~

The standard CGI module is only the lowest common base for dynamic
web pages. The technology goes back decades, possibly even predating
cookies. Look at the name: Common Gateway Interface... It's a building
block responsible for getting submitted form data, as passed by the web
server environment, and returning generated data -- the interface
between an application and the web server. All else must be built on top
of it -- hence separate modules for Cookie control, etc.
--

> ================================================== ============ <
> wl*****@ix.netcom.com | Wulfraed Dennis Lee Bieber KD6MOG <
> wu******@dm.net | Bestiaria Support Staff <
> ================================================== ============ <
> Home Page: <http://www.dm.net/~wulfraed/> <
> Overflow Page: <http://wlfraed.home.netcom.com/> <

Sullivan WxPyQtKinter <su***********@gmail.com> wrote:

As you said, ....There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?

Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.
Alex

al*****@yahoo.com (Alex Martelli) writes:

Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.

That so many people do this is partly the fault of browsers. Until
recently, there was no way to configure most browsers to accept all
cookies but treat them as ephemeral (dispose of them when you close
the browser). Your choices were:

1) accept all cookies; non-ephemeral ones would persist on your hard disk
2) accept only ephemeral cookies: ones marked non-ephemeral would be
ignored
3) ignore ALL cookies

Choice #1 enables invasive long-term user tracking that is not
necessary for mere session persistence.

Choice #2 stops the long-term tracking, but session cookies get
ignored if they have an expiration date (that makes them
non-ephemeral). That stops most session cookies from working. This
choice was available in some versions of Netscape Communicator but I
don't think MS Explorer had it.

Choice #3 stops sessions from working all the time.

What you really want is for your browser to accept all cookies
including persistent ones, but the cookie at the end of the session
regardless of the requested expiration date. Firefox can do that and
it's the setting that I use. I don't know if other browsers can do it yet.

Sullivan WxPyQtKinter wrote:

I do not want to use Cookies in my site since not all web browser
support it well and sometimes people close cookie functioning for
security reasons.
Too bad for them. The only other way to support session is by encoding
the session id in the request, and it's much more of a security hole
than cookies.
I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request,
POST is for submitting data to the server. The method for retrieving
data from the server is GET.
the server
will retrieve the sessionID and decide if it is in the same session.
However, since python cgi do not have a function for redirecting to a
page, I use Location: url http head
How do you think redirections are implemented in frameworks that have
syntactic sugar for this ? At the HTTP level, redirections are done by
sending the corresponding status code and headers. And writing your own
redirect() function is pretty trivial.
or <body
onload="document.location=\'%s\'"></body> javascript for
redirecting.
And you don't want to use cookies ? Lol.
in this case, hidden field could not be used any more.

Really wish python would have session management or equivalent in
standard CGI module~~~~

*Please* take some time to understand how HTTP (and CGI) works - it will
save you a lot of time.

HTTP is a *stateless* protocol, which means that the server itself
forget everything about a request as soon as it is done handling it. So
a request must provide *all* necessary informations. The *only* way to
maintain some kind of 'session' with HTTP is to make sure the client
passes the needed session identifier back to the server. And the 2 only
ways to do it are to :
1/ use a cookie
2/ put the identifier in the request (usually in the query string part
of the url).

The fact that Python's CGI module doesn't offer out of the box support
for sessions has no relation with how sessions work.

BTW, you may want to have a look at Webstack, which provides a common
API over cgi, mod_python, and some other deployment solutions. This is a
pretty boring API (no magic, nothing fancy, nothing sexy etc), but it's
somewhat higher-level than plain CGI and it offers support for sessions
(yes, with cookies - like 99,99% of web programming solutions).
--
bruno desthuilliers
python -c "print '@'.join(['.'.join([w[::-1] for w in p.split('.')]) for
p in 'o****@xiludom.gro'.split('@')])"

Dennis Lee Bieber <wl*****@ix.netcom.com> writes:

Do we have the same dictionary?

Ephemeral, as in "mayflies are ephemeral", means "of short life"...
A cookie with a built-in expiration would, to my mind, be "ephemeral"
Ephemeral cookies in web-head jargon are cookies with no specified
expiration date, so they go away when you close the browser. Cookies
with expiration dates persist until that date (which admittedly might
be just a few seconds away but usually is much longer) if the server
side programmer gets what s/he wants. Usually, the expiration date is
WAY in the future, i.e. the server is either trying to set a
persistent login credential (ok, if the user wants it) or is trying to
do invasive user tracking (not good: see the recent news stories about
the court case around the US government trying to get Google search
logs, and then remember that Google sets a cookie that tries to
correlate all of any user's searches with each other).
Firefox control has:

Keep cookies: until they expire
until I close Firefox

Yes, it took a very long time to get some browser to implement it.
There's a huge and hairy thread about it in bugzilla.mozilla.com
somewhere asking why Communicator didn't do it.

In article <1h****************************@yahoo.com>,
Alex Martelli <al*****@yahoo.com> wrote:

Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.

OTOH, there are too many sites out there that mandate persistent sessions
for no good reason. NetFlix being a canonical example (before logging
in, that is). Sites should degrade gracefully in the absence of cookies
unless they are absolutely essential for site operation.
--
Aahz (aa**@pythoncraft.com) <*> http://www.pythoncraft.com/

"Look, it's your affair if you want to play with five people, but don't
go calling it doubles." --John Cleese anticipates Usenet

Sullivan WxPyQtKinter wrote:

As you said, ....There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?

As people have said, this isn't a limitation of python, it's a feature
of HTTP. You might want to consider whether you actually need sessions
- see if you can design your application to use REST (see e.g.
http://www.xfront.com/REST-Web-Services.html , or there's lots of
information on Google).

People have also mentioned this in passing, but third alternative to
cookies and hidden fields is to use a session key in the query string -
this can be used for GET requests, so would work in redirects as well
as form submissions. Try:

http://yoursite.example/page?session=key

Then you need to remember, whenever you include a link to your site
that should retain the session information to add the session key to
the URL. You could define a function:

def session_url(url, key, **params={}):
qstring = "%s=%s" % ('session', urllib.quote(key))
for (name, value) in params.items():
qstring += "&%s=%s" %(urllib.quote(name), urllib.quote(value))
return qstring

And use it like:

#Do redirect
print "Location: " + session_url('new_page', session_key)

Or:

# Redirect to a page that loads the item called 'anitem'
print "Location: " + session_url('new_page', session_key, {'item',
'anitem'})

If you want to link to this URL in an HTML page, you need to remember
to escape the '&' character:

print "<a href='%s'>Edit item %s</a>" % (cgi.escape(session_url('edit',
session_key, {'item', item_name})), item_name)

Then, if you need to submit a form, you can add the key as a hidden
field.

Aahz <aa**@pythoncraft.com> wrote:

In article <1h****************************@yahoo.com>,
Alex Martelli <al*****@yahoo.com> wrote:

Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.

OTOH, there are too many sites out there that mandate persistent sessions
for no good reason. NetFlix being a canonical example (before logging
in, that is). Sites should degrade gracefully in the absence of cookies
unless they are absolutely essential for site operation.

I entirely agree with you -- do you mean netflix just won't work if I
try to visit it, not log in, with cookies disabled in my browser?!
Alex