No Cookie: how to implement session?

[Kornkatz88]

I don't understand the reason for 'Cookies'. When you are pay to belong to AOL or another network why is it necessary to set up an additional address in order to be able to have access to some information? 
We are not all computer talented, even at this date. Some of us only use it for convenience in our every day life, why make it more complex?
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[Alex Martelli]

Aahz <[EMAIL PROTECTED]> wrote:

> In article <[EMAIL PROTECTED]>,
> Alex Martelli <[EMAIL PROTECTED]> wrote:
> >
> >Cookies aren't "tricks" -- they are THE standard, architected solution
> >for session persistence in HTTP 1.1 -- people who disable them are
> >saying they do not *WANT* persistent sessions... on their heads be it.
> 
> OTOH, there are too many sites out there that mandate persistent sessions
> for no good reason.  NetFlix being a canonical example (before logging
> in, that is).  Sites should degrade gracefully in the absence of cookies
> unless they are absolutely essential for site operation.

I entirely agree with you -- do you mean netflix just won't work if I
try to visit it, not log in, with cookies disabled in my browser?!


Alex
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[I V]

Sullivan WxPyQtKinter wrote:
> As you said, There is no solution? I mean, tracing a real session
> without using tricks like hidden field and cookies in CGI script?

As people have said, this isn't a limitation of python, it's a feature
of HTTP. You might want to consider whether you actually need sessions
- see if you can design your application to use REST (see e.g.
http://www.xfront.com/REST-Web-Services.html , or there's lots of
information on Google).

People have also mentioned this in passing, but third alternative to
cookies and hidden fields is to use a session key in the query string -
this can be used for GET requests, so would work in redirects as well
as form submissions. Try:

http://yoursite.example/page?session=key

Then you need to remember, whenever you include a link to your site
that should retain the session information to add the session key to
the URL. You could define a function:

def session_url(url, key, **params={}):
qstring = "%s=%s" % ('session', urllib.quote(key))
for (name, value) in params.items():
qstring += "&%s=%s" %(urllib.quote(name), urllib.quote(value))
return qstring

And use it like:

#Do redirect
print "Location: " + session_url('new_page', session_key)

Or:

# Redirect to a page that loads the item called 'anitem'
print "Location: " + session_url('new_page', session_key, {'item',
'anitem'})

If you want to link to this URL in an HTML page, you need to remember
to escape the '&' character:

print "Edit item %s" % (cgi.escape(session_url('edit',
session_key, {'item', item_name})), item_name)

Then, if you need to submit a form, you can add the key as a hidden
field.

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[Aahz]

In article <[EMAIL PROTECTED]>,
Alex Martelli <[EMAIL PROTECTED]> wrote:
>
>Cookies aren't "tricks" -- they are THE standard, architected solution
>for session persistence in HTTP 1.1 -- people who disable them are
>saying they do not *WANT* persistent sessions... on their heads be it.

OTOH, there are too many sites out there that mandate persistent sessions
for no good reason.  NetFlix being a canonical example (before logging
in, that is).  Sites should degrade gracefully in the absence of cookies
unless they are absolutely essential for site operation.
-- 
Aahz ([EMAIL PROTECTED])   <*> http://www.pythoncraft.com/

"Look, it's your affair if you want to play with five people, but don't
go calling it doubles."  --John Cleese anticipates Usenet
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[Paul Rubin]

Dennis Lee Bieber <[EMAIL PROTECTED]> writes:
>   Do we have the same dictionary?
> 
>   Ephemeral, as in "mayflies are ephemeral", means "of short life"...
> A cookie with a built-in expiration would, to my mind, be "ephemeral"

Ephemeral cookies in web-head jargon are cookies with no specified
expiration date, so they go away when you close the browser.  Cookies
with expiration dates persist until that date (which admittedly might
be just a few seconds away but usually is much longer) if the server
side programmer gets what s/he wants.  Usually, the expiration date is
WAY in the future, i.e. the server is either trying to set a
persistent login credential (ok, if the user wants it) or is trying to
do invasive user tracking (not good: see the recent news stories about
the court case around the US government trying to get Google search
logs, and then remember that Google sets a cookie that tries to
correlate all of any user's searches with each other).

>   Firefox control has: 
> 
>   Keep cookies:   until they expire
>   until I close Firefox

Yes, it took a very long time to get some browser to implement it.
There's a huge and hairy thread about it in bugzilla.mozilla.com
somewhere asking why Communicator didn't do it.
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[bruno at modulix]

Sullivan WxPyQtKinter wrote:
>  I do not want to use Cookies in my site since not all web browser
> support it well and sometimes people close cookie functioning for
> security reasons.

Too bad for them. The only other way to support session is by encoding
the session id in the request, and it's much more of a security hole
than cookies.

> I tried to add hidden field with a sessionID in every python CGI script
> generated web pages, so everytime my client POST a request,

POST is for submitting data to the server. The method for retrieving
data from the server is GET.

> the server
> will retrieve the sessionID and decide if it is in the same session.
> However, since python cgi do not have a function for redirecting to a
> page, I use Location: url http head 

How do you think redirections are implemented in frameworks that have
syntactic sugar for this ? At the HTTP level, redirections are done by
sending the corresponding status code and headers. And writing your own
redirect() function is pretty trivial.

> or  onload="document.location=\'%s\'"> javascript  for
> redirecting.

And you don't want to use cookies ? Lol.

> in this case, hidden field could not be used any more.
> 
> Really wish python would have session management or equivalent in
> standard CGI module

*Please* take some time to understand how HTTP (and CGI) works - it will
save you a lot of time.

HTTP is a *stateless* protocol, which means that the server itself
forget everything about a request as soon as it is done handling it. So
a request must provide *all* necessary informations. The *only* way to
maintain some kind of 'session' with HTTP is to make sure the client
passes the needed session identifier back to the server. And the 2 only
ways to do it are to :
1/ use a cookie
2/ put the identifier in the request (usually in the query string part
of the url).

The fact that Python's CGI module doesn't offer out of the box support
for sessions has no relation with how sessions work.

BTW, you may want to have a look at Webstack, which provides a common
API over cgi, mod_python, and some other deployment solutions. This is a
pretty boring API (no magic, nothing fancy, nothing sexy etc), but it's
somewhat higher-level than plain CGI and it offers support for sessions
(yes, with cookies - like 99,99% of web programming solutions).


-- 
bruno desthuilliers
python -c "print '@'.join(['.'.join([w[::-1] for w in p.split('.')]) for
p in '[EMAIL PROTECTED]'.split('@')])"
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[Paul Rubin]

[EMAIL PROTECTED] (Alex Martelli) writes:
> Cookies aren't "tricks" -- they are THE standard, architected solution
> for session persistence in HTTP 1.1 -- people who disable them are
> saying they do not *WANT* persistent sessions... on their heads be it.

That so many people do this is partly the fault of browsers.  Until
recently, there was no way to configure most browsers to accept all
cookies but treat them as ephemeral (dispose of them when you close
the browser).  Your choices were:

  1) accept all cookies; non-ephemeral ones would persist on your hard disk
  2) accept only ephemeral cookies: ones marked non-ephemeral would be
 ignored
  3) ignore ALL cookies

Choice #1 enables invasive long-term user tracking that is not
necessary for mere session persistence.

Choice #2 stops the long-term tracking, but session cookies get
ignored if they have an expiration date (that makes them
non-ephemeral).  That stops most session cookies from working.  This
choice was available in some versions of Netscape Communicator but I
don't think MS Explorer had it.

Choice #3 stops sessions from working all the time.

What you really want is for your browser to accept all cookies
including persistent ones, but the cookie at the end of the session
regardless of the requested expiration date.  Firefox can do that and
it's the setting that I use.  I don't know if other browsers can do it yet.
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[Alex Martelli]

Sullivan WxPyQtKinter <[EMAIL PROTECTED]> wrote:

> As you said, There is no solution? I mean, tracing a real session
> without using tricks like hidden field and cookies in CGI script?

Cookies aren't "tricks" -- they are THE standard, architected solution
for session persistence in HTTP 1.1 -- people who disable them are
saying they do not *WANT* persistent sessions... on their heads be it.


Alex
-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[Sullivan WxPyQtKinter]

As you said, There is no solution? I mean, tracing a real session
without using tricks like hidden field and cookies in CGI script?
Dennis Lee Bieber 写道：

> On 28 Mar 2006 09:40:24 -0800, "Sullivan WxPyQtKinter"
> <[EMAIL PROTECTED]> declaimed the following in comp.lang.python:
>
> >  I do not want to use Cookies in my site since not all web browser
> > support it well and sometimes people close cookie functioning for
> > security reasons.
> >
>   Yes... And watch them flounder on sites that use cookies /for/ a
> form of security (ie, those sites that require logins...) Cookies can be
> set to expire, so the "session" can time-out... whereas...
>
> > I tried to add hidden field with a sessionID in every python CGI script
> > generated web pages, so everytime my client POST a request, the server
>
>   This would imply that a client could start a session today, and
> finally submit tomorrow... There's no real time-out capability unless
> you run some background timer thread for each "session ID"...
>
> > will retrieve the sessionID and decide if it is in the same session.
> > However, since python cgi do not have a function for redirecting to a
> > page, I use Location: url http head or 
>   Isn't redirect normally the responsibility of the web server
> /before/ invoking the CGI script itself? I'll concede I'm weak on that
> level of detail.
>
> > Really wish python would have session management or equivalent in
> > standard CGI module
>
>   The standard CGI module is only the lowest common base for dynamic
> web pages. The technology goes back decades, possibly even predating
> cookies. Look at the name: Common Gateway Interface... It's a building
> block responsible for getting submitted form data, as passed by the web
> server environment, and returning generated data -- the interface
> between an application and the web server. All else must be built on top
> of it -- hence separate modules for Cookie control, etc.
> --
>  > == <
>  >   [EMAIL PROTECTED]  | Wulfraed  Dennis Lee Bieber  KD6MOG <
>  >  [EMAIL PROTECTED] |   Bestiaria Support Staff   <
>  > == <
>  >   Home Page: <
>  >Overflow Page: <

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: No Cookie: how to implement session?

[Paul Rubin]

Dennis Lee Bieber <[EMAIL PROTECTED]> writes:
>   Yes... And watch them flounder on sites that use cookies /for/ a
> form of security (ie, those sites that require logins...) Cookies can be
> set to expire, so the "session" can time-out... whereas...

Sites should never rely on cookies timing out.  If there's any
security concern about session persistence and you don't want to track
the session timeout on the server, then encode an expiration time into
the cookie itself, and cryptographically authenticate the cookie.

> > I tried to add hidden field with a sessionID in every python CGI script
> > generated web pages, so everytime my client POST a request, the server

The trouble here is that it stops internal links (retrieved with GET
rather than POST) from working.  So normally what you're describing is
done with session ID's in the url (see amazon.com for example).  That,
too, isn't so great for security, especially for ecommerce sites,
since people tend to share url's with their friends.  E.g., they'll
post to Usenet or web bbs's, So-and-so is offering a great deal on
Python manuals, the url is  where "whatever"
includes the session ID.  Anyone clicking the url then ends up with
the same shopping cart as the person who posted it.

To OP: keep in mind also that anyone who disables cookies probably
also disables javascript, so relying on javascript as you described
for redirection doesn't work too well either.
-- 
http://mail.python.org/mailman/listinfo/python-list

No Cookie: how to implement session?

[Sullivan WxPyQtKinter]

 I do not want to use Cookies in my site since not all web browser
support it well and sometimes people close cookie functioning for
security reasons.

I tried to add hidden field with a sessionID in every python CGI script
generated web pages, so everytime my client POST a request, the server
will retrieve the sessionID and decide if it is in the same session.
However, since python cgi do not have a function for redirecting to a
page, I use Location: url http head or  javascript  for
redirecting.in this case, hidden field could not be used any more.

Really wish python would have session management or equivalent in
standard CGI module

-- 
http://mail.python.org/mailman/listinfo/python-list