[mod_python] Secure Sessions

Jim Gallacher jpg at jgassociates.ca
Tue May 30 08:38:17 EDT 2006


marinus van aswegen wrote:
> Hi All
> 
> I've noticed that I can tell cookies to only be sent to secured sites
> (ala https),

Are you referring to mod_python or something else? Perhaps you are 
misunderstanding the nature of the SignedCookie class. Quoting from the 
docs:

"This class creates cookies whose name and value are automatically 
signed using HMAC (md5) with a provided secret 'secret', which must be a 
non-empty string."

http://www.modpython.org/live/current/doc-html/pyapi-cookie-classes.html#l2h-202

> however I didn't see the same option for the session
> class. Am I missing something here? 

Yes, if you *are* referring to signed cookies. Just pass the secret to 
the session constructor, same as if you were creating a SignedCookie.

session = Session.Session(req, secret="some secret")

Quoting from the docs for BaseSession:

"When a secret is provided, BaseSession will use SignedCookie when 
generating cookies thereby making the session id almost impossible to 
fake. The default is to use plain Cookie (though even if not signed, the 
session id is generated to be very difficult to guess)."

http://www.modpython.org/live/current/doc-html/pyapi-sess-classes.html#l2h-209

> It's a good practise when using
> https to have your sessionid cookie only sent to the secure site

As far as I know this is not a mod_python capability out of the box. 
You'll need to test if it is an https request in your code and act 
accordingly.

> (should also be in the faq).

Well, maybe but I think this is the first time anyone has asked this 
question, so it doesn't really qualify as frequently asked. ;)

Jim



More information about the Mod_python mailing list