[mod_python] Session data

Sam Brauer sam at webslingerZ.com
Tue May 29 09:40:32 EST 2001

On Tue, 29 May 2001, Bo Lorentsen wrote:
> I just need to gain knowledge about some other ways of maintaining session
> data, as until now, I thought that a cookie were just a session reference
> number of a kind.
> /BL

I think the most portable method (a method with the least
dependency on any particular webserver or application server) is to
maintain the session state in a relational database table and store the
table key value in a cookie.
When a user first hits your site, check for the cookie.
If it exists and matches a record in your table, then treat that record as
that user's session data.
Otherwise, insert a new record and set a session cookie with the key value
of the newly created record.

For applications where security is not a major concern, this method should
be sufficient.  If security is a major concern, you will want to avoid
storing the cookie value as plain text and instead encrypt it in some way.
Also, you may want to set a short expiration time for the cookie, and
perhaps reset it every time you send a response to the user.  You might
also (again, depending on the type of application) want to provide an
explicit logout function that unsets the cookie.
You could also have a field in your table that contains a timestamp that
gets updated every time a request for that session comes in.  Before
updating the field, you might compare its current value with the current
time.  If the difference is greater than some time limit (say 30 minutes),
then you could error out and respond to the user that their session has

How complicated and secure you want to make it is up to you.

Sam Brauer

More information about the Mod_python mailing list