Hello, I have a couple questions about sessions and HTTP/HTTPS that
I'm hoping someone can help answer. I'm pretty new to Pylons and web
programming, so try not to assume I know too much in your replies.
Thanks a lot!
I am developing a site that will be viewed over both HTTP and HTTPS.
There will be users and logins (login over HTTPS only), and I would
like to use information about the user's login to affect content on
pages displayed over both HTTP and HTTPS. For example, I might want to
have a page showing product info displayed over HTTP. This page,
despite being insecure would need to know about the user's login name
in order to perhaps display it in the upper-right, along with a link
to the user's purchase history. Now the page that shows the user's
purchase history should be accessible over HTTPS only, but it will
also need to know about the user's login name.
I am thinking the right way to do something like this would be to have
two cookies: one for HTTP with the secure flag set to False, and one
for HTTPS with the secure flag set to True. I would of course store
only session IDs in both cookies, and in the data corresponding to
both of them I would store the user's login name. This way, the
insecure cookie could get hijacked and all the hijacker would get to
see is a page showing the product with the user's login name in the
upper right. The attacker would never get to see the user's payment
history, because this would only be viewable over HTTPS using the
HTTPS cookie with the secure flag set to True.
My Questions:
(1) Am I even thinking about this correctly? Does it make sense to
accomplish the goal of authentication over both HTTP and HTTPS using
two cookies like I described, or is there a better way?
(2) Given that I think I'm going to need two cookies do do what I
want, how can I make use of the session feature within Pylons? Since
it seems there is only one session ("from pylons import session") it
this must be for insecure connections (secure flag = false). How would
I go about modifying Pylons to provide an additional HTTPS-only
session (secure flag = true) to go about accomplishing what I want.
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
