There is very little a malicious visitor could do (directly to your session data) unless your server gets hacked. Sessions are stored in your machine, and the only thing passed to user is the session ID. On the other hand, session IDs can be manipulated in any number of ways, but it's also very difficult to do so.
Basically, there's nothing wrong with storing the username in the session store, but it's just much easier to store the user ID, since it simplifies extraction of user-related data from the database. Others will correct me if I err. On Thu, Apr 29, 2010 at 3:00 AM, Oskar <[email protected]> wrote: > Ok, but, uh, there isn't anything else I should know? Any security > pitfalls? > > On Apr 28, 9:56 am, yada <[email protected]> wrote: >> use uid, you can get other information from database by uid >> >> On Apr 28, 2010 1:36 AM, "Oskar" <[email protected]> wrote: >> >> Thank you! >> >> But, it seemed to me that storing the username in the session object >> is the most convenient way to know who the user is. If for example a >> user wants to update his contact info, then I want to know who the >> user is. What do you recommend for a situation like this? How should I >> go about knowing who the user is? >> >> On Apr 27, 12:31 pm, Anand Chitipothu <[email protected]> wrote: >> >> > 2010/4/27 Oskar <[email protected]>: >> >> > > I just wanted to add a couple question: >> >> > > Is it unwise to store the username and password ... >> > For more options, visit this group athttp:// >> >> groups.google.com/group/webpy?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "web.py" group. >> To po... >> >> -- >> You received this message because you are subscribed to the Google Groups >> "web.py" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group >> athttp://groups.google.com/group/webpy?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "web.py" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/webpy?hl=en. > > -- Branko Vukelić [email protected] [email protected] Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
