At 05:06 PM 8/16/2005 -0400, mike bayer wrote: >theres also security considerations regarding using only cookies without >server side sessions. For login tokens, if theres no corresponding >server-side token to match up that it is in fact a current login and not >something left over from a long-closed session, then some kind of clever >encryption combined with time information must be used on the client-side >token that can guarantee the login is recent and valid.
That's why I listed signed vs. unsigned data as one of the concerns that should be part of a client-side session API design. You don't need encryption, btw, you just need a signature. Signatures are easily done by using a hashing algorithm and a secret key. And by easily done, I mean a few lines of Python. Really the only "interesting" part of managing a hash-based signature is where to store the key such that all the server processes can access it, but it isn't part of your source code. You can do that with a file on a single server, but for multiple servers it's back to the DB or else you need a way to push out configuration to the servers. You also need key rotation such that your signatures indicate which key was used to sign them, so that people's keys don't suddenly stop working when you update your key. OTOH, if you have a multi-server setup you probably already know about all these problems and have ways to deal with them. _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
