5

i'm making a web application with python and I want to save some variables for the session, till the browser closes, like I would do with PHP:

<?php
session_start(); 
$_SESSION['size']='small'; 
?>

what's an easy yet safe way?

I'm using both lighttpd and apache so I want something that'll work with both.

also i there will be passwords saved so i need something safe.

Improve this question
5
  • Any reason to use cgi and not some lightweight framework? Commented Sep 1, 2013 at 15:42
  • like web.py? i want to do it with pure code. i don't want to use a framework (mainly to learn). Commented Sep 1, 2013 at 15:44
  • 2
    CGI is not the way to write a pure a Python web app. You should use wsgi. Commented Sep 1, 2013 at 15:50
  • 1
    Plus, you should bear in mind that php is a language designed for the web, so includes things like session handling. Python is a general purpose language: for sessions, you need a third party library. Commented Sep 1, 2013 at 15:53
  • Related question: stackoverflow.com/questions/2534525/… Commented May 26, 2017 at 17:12

2 Answers 2

Reset to default
2

When using session_start() in PHP, you are not using "pure code" either, it's also smoke and mirrors...

Leaving out all the caveats: What you can do is using a global dictionary to store session data. Once a client makes a request and passes the "session"-cookie, you look up all the session data in that dictionary. If there is no entry or the client has no session-cookie, you create a new session and pass the cookie to the client. The session-cookie is made of a random, say sixteen character, string. Other clients are unable to guess another user's session because the keyspace is too large. From time to time, you prune the dictionary from session your server has not seen in a while.

You should really take a look at CherryPy's documentation on using sessions though.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This link is now broken. It was quite old, though.
2

I decided to do it with cookies, which is easier/safer. Here's the code for everyone interested:

# importing the libs
from http import cookies
import os

# setting the cookies
C = cookies.SimpleCookie()
C["cookie1"] = "some_text"
C["cookie2"] = "another_text"
print(C.output())

# sending the html header
print('Content-type: text/html;\n')

# reading the "cookie1" cookie
cookievalue = cookies.SimpleCookie(os.environ["HTTP_COOKIE"])
print (cookievalue["cookie1"].value)
Improve this answer

3 Comments

Note that you are most probably subject to an untold number of possible attacks, quirks and bugs when doing so, starting with the fact that the client may modify/come up with and send anything he likes as cookie[12]
Apart from the username/password cookies there will be one more cookie with a random string for validation that will show that the X user connected from the X ip on THAT time and if someone else tries to steal his cookie won't be able to gain access. This will be saved on a local file on the server too for client-server validation. With that method atackers won't be able to even access the back-end server. Also there will be a max-tries on the login form so If someone tries to abuse it trying to get in he will get blocked. Security comes first.
Among others, this will work only in part if people connect from large NATs (everyone appears to come from the same source IP) or from mobile (same user seems to come from different IPs).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.