cgi - secure sessions

[infini.g]

Hey,

I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies, but
I found that when a script to detect the cookies was run through a
server side include line in the html, it couldn't get any cookies, but
it would work fine when run directly through the browser (which is
useless to me).

If anybody could help with this it would be great. Python is the only
programming language that I'm relatively comfortable in at the moment,
so using the usual PHP or Javascript just isn't an option for me
unfortunately.

GazaM

 

[Kirk McDonald]

Hey,

I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies, but
I found that when a script to detect the cookies was run through a
server side include line in the html, it couldn't get any cookies, but
it would work fine when run directly through the browser (which is
useless to me).

If anybody could help with this it would be great. Python is the only
programming language that I'm relatively comfortable in at the moment,
so using the usual PHP or Javascript just isn't an option for me
unfortunately.

GazaM

For what it's worth, mod_python supports sessions:

http://www.modpython.org/live/current/doc-html/pyapi-sess.html

I've been playing with them recently, and they seem to work.

-Kirk McDonald

 

[Paul Rubin]

I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies,

Yes, that's the usual way: send a cookie containing either the session
ID or the session data, and read it back on the server side. Be very
careful about what you put in the cookie: if it's a session ID, it
should be a long random string, not a session number like 37 (if you
use consecutive numbers, someone can change their number and take over
someone else's session). If it's more complex session data, validate
it carefully on the server side, maybe by authenticating it with
something like the hmac module.

 

[GazaM]

wow, those were some seriously quick replies, thanks. I understand that
cookies is the best way to do things, but I didn't explain my problem
well, sorry.

Basically, I have a blog in the works and I want to have an online
interface for posting. What I have is a cgi script run through a server
side include line in the html, which looks for the session cookie, if
it is present will say 'logged in as "user"' and if the cookie isn't
there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible? I need to use an include
line instead of pointing to the script and making it output full html
as there are various other scripts run in the html as well, plus I am
hoping to use the cookie-detection script in other ways than just the
home page...

Again, any help is appreciated.

GazaM

 

[Kirk McDonald]

What I have is a cgi script run through a server
side include line in the html, which looks for the session cookie, if
it is present will say 'logged in as "user"' and if the cookie isn't
there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible?

Python has a built-in Cookie module:

http://www.python.org/doc/2.4.2/lib/module-Cookie.html

It may simplify matters.

-Kirk McDonald

 

[Paul Rubin]

there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible?

Usually the httpd (i.e. web server) saves the cookie data as
environment variables that the cgi can see. What httpd are you using?
"Server side includes" used to mean something specific, a very old
dynamic html scheme that nobody uses much any more. I'm presuming
your cgi is written in Python. Have you looked at the cgi module docs?

 

[GazaM]

Kirk: I'm using the Cookie module to create/send/read the cookies. The
problem is that I can't read session cookies when running the script
from a server side include line.

Paul: By server side include I mean simply calling upon the script from
an include line within the html, for example '<!--#include
virtual="/cgi-bin/cookietest.cgi" -->'

GazaM

 

[Paul Rubin]

Paul: By server side include I mean simply calling upon the script from
an include line within the html, for example '<!--#include
virtual="/cgi-bin/cookietest.cgi" -->'

Try printing the contents of os.getenv() in your script and see
if the cookie data is in there.

 

[Fuzzyman]

wow, those were some seriously quick replies, thanks. I understand that
cookies is the best way to do things, but I didn't explain my problem
well, sorry.

Basically, I have a blog in the works and I want to have an online
interface for posting. What I have is a cgi script run through a server
side include line in the html, which looks for the session cookie, if
it is present will say 'logged in as "user"' and if the cookie isn't
there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can't get any, because the http headers are
passed onto the html file and any cgi scripts inside don't get
anything... is there a workaround possible? I need to use an include
line instead of pointing to the script and making it output full html
as there are various other scripts run in the html as well, plus I am
hoping to use the cookie-detection script in other ways than just the
home page...

logintools is a Python CGI framework for logins and account management.
You could also 'overload' the account management to provide session
management if you want. (You'd have to be careful if the user could
potentially run more than one session simultaneously - maybe I can
build support into logintools for this).

It includes functions to *tell* if a user is logged in, and can also
automatically divert the user to a login page if you want.

It uses HTML templates so you can customise the appearance of the pages
it generates. It will handle sign-ups (you can allow new sign-ups or
not), user account management, and adminastrative account management.

You can also choose whether to use session cookies (only exists whilst
the same browser window is open - after that the user must login), or
set a length of time the cookie is valid for.

http://www.voidspace.org.uk/python/logintools.html

I'm happy to provide support via the Pythonutils mailing list :

http://groups.google.com/group/pythonutils

The best place to start might be an example application, like protected
page :

http://www.voidspace.org.uk/python/cgi.shtml

This doesn't use the features to tell you if the user is logged in (it
just prevents access to the application if the user isn't logged in -
and presents them with a login page). It's a good place to start
though.

All the best,

Fuzzyman
http://www.voidspace.org.uk/python/index.shtml

 

[GazaM]

Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?

 

[Fuzzyman]

Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?

That's more normal. logintools has templates in a directory and outputs
pages based on those. That's what all the 'tempalting engine'
discussion going on at the moment is about.

On the other hand, you can have static html pages with forms that call
the CGI. The CGI will still have to return HTML though.

logintools itself uses an *ultra simple* templating system - just
replacing special values in the template with the dynamically generated
values. There is no logic in the tempaltes whatsoever.

All the best,


Fuzzyman
http://www.voidspace.org.uk/python/index.shtml

 

[Fuzzyman]

Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?

That's more normal. logintools has templates in a directory and outputs
pages based on those. That's what all the 'tempalting engine'
discussion going on at the moment is about.

On the other hand, you can have static html pages with forms that call
the CGI. The CGI will still have to return HTML though.

logintools itself uses an *ultra simple* templating system - just
replacing special values in the template with the dynamically generated
values. There is no logic in the templates whatsoever.

All the best,


Fuzzyman
http://www.voidspace.org.uk/python/index.shtml

 

[Fuzzyman]

Ok, thanks for all the help guys. It seems that running this type of
script from inside of the html just isn't going to work as needed.
Seems like I'll just have to ditch the .shtml and point directly to a
cgi. This is how the other Python frameworks and sites work, such as
reddit and plone etc right?

I'm not sure if you can 'include' a CGI and expect the reults to get
included in a page (although I think I've heard of PHP being used in
that way.)

It doesn't sound like it's working for you anyway.

All the best,


Fuzzyman
http://www.voidspace.org.uk/python/index.shtml