On Jun 2, 4:54 pm, Jim Steil <[email protected]> wrote: > So, are you then passing a userid and password with every request? Do > you just cache the userid and a hash of the password in a cookie or > something?
Sorry for taking so long to respond, I haven't been on this list much the past couple weeks ;) We use Repoze's built in session cookies primarily for this. Basically a hash is generated and stored in the cookie during the session so that the server knows you are who you say you are. Beyond this there's also another nice feature that checks to see what your previous page was (where you came from), and this should partially help against the possibility of a cookie hijack to some extent. On top of all this our site is end to end encrypted thru SSL (https). The only page that is unencrypted is the welcome page (index), from which you can move to the login in page. If you are not logged in, or your cookie has become invalid you are automatically redirected to the login page. Our project is a pretty complex accounting app (think like Quickbooks, but a web app), so security is a very big concern for us. I think all the other bases of what I'd have to tell you have already been covered by other people's responses ;) - Derick --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
