cgi - 安全会话 [英] cgi - secure sessions

问题描述

嘿，


我只是想知道是否/如何使用Python CGI为网站创建安全的

会话...我想到使用cookies，

，事情看起来很有希望;我可以通过表格

登录，该表格指向创建了发送用户cookie的cgi脚本，但是我发现当检测到cookie的脚本通过

服务器端包含html中的行，它无法获取任何cookie，但

直接通过浏览器运行时它可以正常工作（这是

对我没用。）


如果有人可以帮忙解决这个问题，那就太好了。 Python是目前唯一比较舒服的

编程语言，

因此使用通常的PHP或Javascript对我来说不是一个选择

很遗憾。


GazaM

Hey,

I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies, but
I found that when a script to detect the cookies was run through a
server side include line in the html, it couldn''t get any cookies, but
it would work fine when run directly through the browser (which is
useless to me).

If anybody could help with this it would be great. Python is the only
programming language that I''m relatively comfortable in at the moment,
so using the usual PHP or Javascript just isn''t an option for me
unfortunately.

GazaM

推荐答案

中，href =mailto：in ****** @ gmail.com>写道：​​

in******@gmail.com wrote:

嘿，
<我只是想知道是否/如何使用Python CGI为网站创建安全的会话......我想过使用cookies，
并且看起来很有希望;我可以通过一个表格
登录，该表格指向一个创建了发送用户cookie的cgi脚本，但是我发现当检测到cookie的脚本通过服务器端包含线路运行时在HTML中，它无法获得任何cookie，但是当它直接通过浏览器运行时它会正常工作（这对我来说是无用的）。

如果有人可以帮助解决这个问题。 Python是我目前唯一相对舒服的编程语言，所以使用通常的PHP或Javascript对我来说不是一个选择
不幸。
/>
GazaM

Hey,

I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies, but
I found that when a script to detect the cookies was run through a
server side include line in the html, it couldn''t get any cookies, but
it would work fine when run directly through the browser (which is
useless to me).

If anybody could help with this it would be great. Python is the only
programming language that I''m relatively comfortable in at the moment,
so using the usual PHP or Javascript just isn''t an option for me
unfortunately.

GazaM

对于它的价值，mod_python支持会话：

http://www.modpython.org/live/curren...yapi -sess.html


我最近一直和他们一起玩，他们似乎工作。 :-)


-Kirk McDonald

For what it''s worth, mod_python supports sessions:

http://www.modpython.org/live/curren...yapi-sess.html

I''ve been playing with them recently, and they seem to work. :-)

-Kirk McDonald

在****** @ gmail.com 写道：

我只是想知道是否可以为网站创建安全的
会话使用Python CGI ......我想过使用cookies，
并且看起来很有希望;我可以通过一个表格
登录，该表格指向创建了发送用户cookie的cgi脚本，

I was just wondering if / how would it be possible to create secure
sessions for a website using Python CGI... I thought of using cookies,
and things looked promising for a while; I could login through a form
which pointed to a cgi script which created sent the user cookies,

是的，这是通常的方式：发送一个包含会话

ID或会话数据的cookie，并在服务器端读回。非常小心你在cookie中放入了什么：如果它是会话ID，那么

应该是一个长的随机字符串，而不是像37这样的会话号码（如果你使用连续数字
，有人可以改变他们的号码并接管

其他人的会话。如果它是更复杂的会话数据，请在服务器端验证

，也许通过使用

进行身份验证，例如hmac模块。

Yes, that''s the usual way: send a cookie containing either the session
ID or the session data, and read it back on the server side. Be very
careful about what you put in the cookie: if it''s a session ID, it
should be a long random string, not a session number like 37 (if you
use consecutive numbers, someone can change their number and take over
someone else''s session). If it''s more complex session data, validate
it carefully on the server side, maybe by authenticating it with
something like the hmac module.

哇，这些都是一些非常快速的回复，谢谢。我明白

cookies是做事的最佳方式，但我没有解释我的问题

，对不起。


基本上，我有一个博客在工作，我想有一个在线

界面发布。我所拥有的是一个通过服务器运行的cgi脚本

一边包含在html中的行，它查找会话cookie，如果

它存在就会说''记录在asuser中，如果cookie不是
，则会显示一个登录表单。现在，这里的大型showstopper是，

因为会话cookie存储在客户端发送的http头中

（afaik）cgi脚本无法获取，因为http标头是传递给html文件的
而且里面的任何cgi脚本都没有得到任何东西......有没有可行的解决办法？我需要使用include

行而不是指向脚本并使其输出完整的html

因为html中还有各种其他脚本运行，加上我我希望以除了

主页之外的其他方式使用cookie检测脚本...


再次，任何帮助表示赞赏。


GazaM

wow, those were some seriously quick replies, thanks. I understand that
cookies is the best way to do things, but I didn''t explain my problem
well, sorry.

Basically, I have a blog in the works and I want to have an online
interface for posting. What I have is a cgi script run through a server
side include line in the html, which looks for the session cookie, if
it is present will say ''logged in as "user"'' and if the cookie isn''t
there will display a login form. Now, the big showstopper here is that,
because session cookies are stored in http headers sent by the client
(afaik) the cgi script can''t get any, because the http headers are
passed onto the html file and any cgi scripts inside don''t get
anything... is there a workaround possible? I need to use an include
line instead of pointing to the script and making it output full html
as there are various other scripts run in the html as well, plus I am
hoping to use the cookie-detection script in other ways than just the
home page...

Again, any help is appreciated.

GazaM

这篇关于cgi - 安全会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！