On Mo, 2009-12-07 at 09:35 -0400, Rayon wrote:
How do I Check for an active login session on every page that requires
To understand sessions you first need to understand that HTTP is a
stateless protocol: you connect, send your request, receive a response
and the connection is closed.

There are several ways to accomplish this. The most straightforward way
would be remembering the client's IP
Another method is putting the session's ID in the URLs you display to
your users.
The most common and reliable choice is the good old session cookie
While I agree with the cookie (as long as it has a short expiration),
another way to do this is by using expiring tokenization (credentials + some
unique data for the transaction) in the URL header (see section 14.8 at
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html). Tokenization
substitutes some random string for confidential data (such as credentials).
The payment card industry uses this in the form of an authorization code for
card transactions. Add to the data represented by the token some unique
data (maybe a random number or some data from the last transaction - it
doesn't matter as the token does not expose the data in any way) for each
http transaction so you have unique token in each header and you can get an
essentially stateful session with a method of checking authentication that
has some spoof protection built in. Wrap it all in SSL/TLS and then you've
got something. Granted, this requires some serious server side work, and is
probably not a good beginner exercise, but if this level is what you
need.... I have never coded anything like this in Python, but I can see
abstractly how it could be done (I'm a novice with Python). If you're bored,
you can read http://www.shift4.com/pdf/TokenizationWhitePaper.pdf especially
sec1:7. Ok, Ok, I'll shut up now - I've got to go play with some XML
anyhow...Thanks for listening.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 8 of 9 | next ›
Discussion Overview
grouptutor @
postedDec 5, '09 at 11:26a
activeDec 8, '09 at 12:56p



site design / logo © 2022 Grokbase