python - Why CherryPy session does not require a secret key? -



python - Why CherryPy session does not require a secret key? -

i noticed cherrypy session not require secret key configuration. on contrary, pylons session does: http://docs.pylonsproject.org/projects/pylons_framework/dev/sessions.html

i'm concerned security issues if i'm using session remember user authentication.

any 1 can explain why cherrypy session not need secret key? or there suggestion how should create secure utilize session remember user login?

there 2 different ways of maintaining session state: on server or on client.

with server-side approach, maintain session info in files, database, or in memory on server , assign id it. session id sent client , stored in cookie (although can embedded in urls). each request, client's session id read , used web application load session info wherever it's stored on server. way, client never has access of session info , can't tamper it, downside have protect against session hijacking through utilize of stale session ids malicious clients. model used web frameworks , applications today.

another approach store session info on client side within of cookies. downside approach info can seen , tampered client, have take care sign , encrypt info prevent tampering. having secret key comes play. upside don't have worry session hijacking.

pylons uses beaker sessions, can configured store session info on client side. that's why need secret key.

cherrypy stores session info on server , sends user cookie session id, client never sees session info , can't tamper it. can configure utilize files or maintain in memory. can hook , utilize database store session info in.

personally, prefer approach used cherrypy, since it's same approach used bulk of web. it's easier secure, , can share session info other applications running on server without worrying encryption or keys.

python pylons web-frameworks cherrypy

Comments

Post a Comment

Popular posts from this blog

iphone - Dismissing a UIAlertView -

iphone - Dismissing a UIAlertView - i set in app purchase app, , when user taps button, purchase started. basically, tap button, , depending on speed on net connection, waiting 10 seconds until new alert view comes asking if purchase product. user tap button multiple times since nil came up, , multiple purchase alert views come up. additionally, maybe seen user app bug. in end, problem. i want alert view come spinning wheel says "loading..." when users taps purchase button. problem is, how dismiss when new alert view comes asking user if want purchase product? if ([uialertview alloc] says: @"whatever apple's alert view says") { //dismiss "loading..." alert view here } i uncertainty work, input appreciated. thanks! you need have access alertview. can this. create alertview instance var in app delegate , when want show loading initialize instance var assign property , when want dismiss phone call [alertviewinstance d...
Read more

c# - Can ProtoBuf-Net deserialize to a flat class? -

c# - Can ProtoBuf-Net deserialize to a flat class? - protobuf-net uses nested protobuf constructs back upwards inheritance. however, can made force properties flat target class has same properties inherited "serialized" version? see test illustration below. needless result of flat namespace null both properties. possible solution: re-create info flat.b first on property property basis. note: not prefered option. using system; namespace hierarchy { using protobuf; [protocontract] public class { [protomember(1)] public string prop1 { get; set; } } [protocontract] public class b : { public b() { } [protomember(1)] public string prop2 { get; set; } public override string tostring() { homecoming "prop1=" + prop1 + ", prop2=" + prop2; } } } namespace flat { using protobuf; [protocontract] p...
Read more

javascript - Change element in each JQuery tab to dynamically generated colors -

javascript - Change element in each JQuery tab to dynamically generated colors - i'm using jquery ui tabs widget , have button add together additional tabs. i'm tying each tab markers on map coordinating randomly generated color using function gen_color() { homecoming '#'+(math.random()*0xffffff<<0).tostring(16); } so each tab has color corresponds number of markers of same color on map. i'm trying add together 15x15 block of color within tab's tab left of it's label. right i'm using tabtemplate alternative , trying alter when new tab added: $tabs = $("#tabs").tabs({ tabtemplate: "<li><span class='ui-icon-color' style='background-color:#000000;'></span><a href='#{href}'>#{label}</a> <span class='ui-icon ui-icon-close'>remove tab</span></li>", selected: 0, add: funct...
Read more