Hi Nick, As with most things, "secure" has many levels. It really depends on what you're doing -- a blog, or bank software? You seem to be on the right track as far I as can tell. The only really obvious thing I see is that cookies get sent as plain text, so a user at an coffee shop using unencrypted wireless could be intercepted, and then use that cookie to view whatever. This unfortunately can't be fixed through the webpy layer -- you'd need to enable SSL on your web server and consider getting a legit certificate.
Based on what you've told us, you're basically as secure as a session- based login manager. Cheers, Justin On May 25, 8:48 pm, NickCarlson <[EMAIL PROTECTED]> wrote: > Hi, > > I'm using .23 until .3 is released. Is there a standard way of handing > logged in users without sessions? > > At the moment, I'm using cookies. Upon a successful login, two cookies > are sent to the user. One is basically a boolean identifying the user > as logged in. The other is a random md5 hash. This hash is also stored > in the user's record in the database. > > Each time a sensitive piece of user data is displayed (or db data is > updated) this cookie's value is compared the the hash in the user's db > record to authenticate the user. > > Is this a "secure" and proficient workaround? Am I overlooking > anything? > > Thanks, > Nick --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
