4

i'm making a web application with python and I want to save some variables for the session, till the browser closes, like I would do with PHP:

<?php
session_start(); 
$_SESSION['size']='small'; 
?>

what's an easy yet safe way?

I'm using both lighttpd and apache so I want something that'll work with both.

also i there will be passwords saved so i need something safe.

Nickl
  • 1,403
  • 3
  • 14
  • 18
  • Any reason to use cgi and not some lightweight framework? – asermax Sep 01 '13 at 15:42
  • like web.py? i want to do it with pure code. i don't want to use a framework (mainly to learn). – Nickl Sep 01 '13 at 15:44
  • 2
    CGI is not the way to write a pure a Python web app. You should use wsgi. – Daniel Roseman Sep 01 '13 at 15:50
  • 1
    Plus, you should bear in mind that php is a language designed for the web, so includes things like session handling. Python is a general purpose language: for sessions, you need a third party library. – Daniel Roseman Sep 01 '13 at 15:53
  • Related question: https://stackoverflow.com/questions/2534525/accessing-php-session-from-python-wsgi-is-it-possible – nu everest May 26 '17 at 17:12

2 Answers2

2

When using session_start() in PHP, you are not using "pure code" either, it's also smoke and mirrors...

Leaving out all the caveats: What you can do is using a global dictionary to store session data. Once a client makes a request and passes the "session"-cookie, you look up all the session data in that dictionary. If there is no entry or the client has no session-cookie, you create a new session and pass the cookie to the client. The session-cookie is made of a random, say sixteen character, string. Other clients are unable to guess another user's session because the keyspace is too large. From time to time, you prune the dictionary from session your server has not seen in a while.

You should really take a look at CherryPy's documentation on using sessions though.

user2722968
  • 13,636
  • 2
  • 46
  • 67
2

I decided to do it with cookies, which is easier/safer. Here's the code for everyone interested:

# importing the libs
from http import cookies
import os

# setting the cookies
C = cookies.SimpleCookie()
C["cookie1"] = "some_text"
C["cookie2"] = "another_text"
print(C.output())

# sending the html header
print('Content-type: text/html;\n')

# reading the "cookie1" cookie
cookievalue = cookies.SimpleCookie(os.environ["HTTP_COOKIE"])
print (cookievalue["cookie1"].value)
Nickl
  • 1,403
  • 3
  • 14
  • 18
  • 2
    Note that you are *most* probably subject to an untold number of possible attacks, quirks and bugs when doing so, starting with the fact that the client may modify/come up with and send anything he likes as cookie[12] – user2722968 Sep 01 '13 at 16:56
  • Apart from the username/password cookies there will be one more cookie with a random string for validation that will show that the X user connected from the X ip on THAT time and if someone else tries to steal his cookie won't be able to gain access. This will be saved on a local file on the server too for client-server validation. With that method atackers won't be able to even access the back-end server. Also there will be a max-tries on the login form so If someone tries to abuse it trying to get in he will get blocked. Security comes first. – Nickl Sep 01 '13 at 17:44
  • Among others, this will work only in part if people connect from large NATs (everyone appears to come from the same source IP) or from mobile (same user seems to come from different IPs). – user2722968 Sep 01 '13 at 18:22