On Friday 14 October 2005 21:22, Derek Perriero wrote: > What would be the best way to create a cgi session that contains the > basic elements of a cookie and can also hold secure data, such as a > username/password. I've explored the possibilities of using SmartCookie, > but that doesn't encrypt my parameters.
Encrypting the parameters is probably not the best way. Usually you store the information you need in your own database and just pass the client (web browser/user) a handle (session ID). That way you temporarily identify the user through the session ID but can store data in your database that the user cannot even see. There are a few things you need to take care of like: - only pass a new session cookie if necessary (otherwise the user may be prompted to accept the same cookie time and again) - expire the session if the user hasn't been using it - check if the session ID fits the IP address you recorded - create unique session IDs A link from my list of bookmarks about session handling: http://starship.python.net/~davem/cgifaq/faqw.cgi?req=show&file=faq02.011.htp We have recently developed such a session handler for a Debian-related web site which uses a MySQL table to store session information. If there is interest I'll tidy it up a bit and make it publicly available. Cheers Christoph -- ~ ~ ".signature" [Modified] 1 line --100%-- 1,48 All -- http://mail.python.org/mailman/listinfo/python-list
