durusmail: quixote-users: SessionPublisher / read_config in SCGI
SessionPublisher / read_config in SCGI
2002-05-07
Michael Watkins
2002-05-08
Greg Ward
2002-05-08
Michael Watkins
2002-05-08
Greg Ward
2002-05-08
Jonathan Corbet
SessionPublisher / read_config in SCGI
Michael Watkins
2002-05-08
At 08:16 AM 5/8/2002 -0400, Greg Ward wrote:
> > - CGI driven (persist to a cookie)
>
>If I understand what you're saying here, you do *NOT* want to do this.
>Persisting data to a cookie means that you're trusting the client to
>return the cookie data you sent it.  Cookies should almost always be
>opaque blobs of information that mean nothing to the client, so that
>malicious or broken clients can't screw things up on your server.  Doing
>otherwise breaks the #1 rule of secure web programming: Never Trust The
>Client.

Greg - first, thanks for the code examples - that was the kind of leg-up I
was looking for. I've been piecing the puzzle together and find that work
gratifying, if slow, but a kick start is always helpful. No doubt SPLAT!
will be useful for many to peer into.

Regarding "Never Trust The Client", I couldn't agree more.  What I was
suggesting for CGI use was persisting only the session_id to a cookie, the
application data (prefs) and the session_id to the database, and on each
request doing a test of the two.

Before I go on, to be clear, I'm using SCGI for my staging and production
environments and CGI only for testing. I was hoping to implement session
tracking for my local testing in such a way that the bulk of the
application could would remain the same in either environment. I use a cgi
driver just for simplicity and speed of the edit / test cycle. I edit and
test on W2K box, and periodically I move all my code to my staging server
and re-test there.

I admit that I've not spent much time thinking about sessions yet in my
application - the clean feel of Quixote gave me a good deal of faith that I
could charge ahead elsewhere.

> > I am planning on persisting sessions to a PostgreSQL db, but test on CGI.
>
>By default, Quixote sessions live for as long as the process that
>handles requests from the web server: so if you're using Quixote's
>SessionManager with a CGI driver script, then your "session" objects are
>lost with every request.  You either need to write your own session
>manager (to implement persistent sessions), or use a long-lived
>execution mechanism like SCGI, FastCGI, or mod_python.  You'll be
>happiest if you do both.

Both is the plan. I'm using SCGI for this first Quixote project; I may have
to wrestle with mod_python on a Windows platform at some point. Since most
everything I do has a database like Postgres, Oracle or SQL Server
associated with it, my plan is to use the db and a custom session manager,
and have the best of both worlds with long running processes and persistence.

Thank you Greg for taking the time out to share.

Best regards
Mike
reply