Graham Northup

Graham,

> I'm using Python as my CGI scripting language.

Note; JavaScript does not need to know or care what server side language you
use. The approach should be the same no matter what.

> IP-to-user management system is DANGEROUSLY incompatible
> with intranets!

Indeed, sessions should never be based solely on IP address. There are many
environments where a user can change IP address during a session; AOL, for
example, randomly sends each request through any of multiple servers, so you
can't work out the user's IP address. Dialup users could accidentally
disconnect and reconnect with a new IP address. There are also multiple
environments where many users can share a single IP address. The most
obvious is an intranet using NAT - a typical setup for corporations,
schools/universities, and there are even cases where an entire country
shares a single IP address (eg. Bahrain).

> Using cookies seems to be the only answer to the problem

There are three approaches:

* Session IDs encoded in the URL (requires every page to be dynamically
generated with the session ID held in every single URL on the page, but it's
a very convenient approach for privacy-conscious users who may deny all
cookies to prevent tracking cookies from being set):
http://example.com/foo?sessionid=j45hgf56jh4356j7hgg44365

* Session IDs held in cookies

* Logins maintained using HTTP Authentication

It depends on how you are using it as to whether the last one is
appropriate, but either of the first two will work in most situations.

> but I need some way to get the JavaScript code you wrote to
> communicate with the native Python code that works with the run-once
> CGI scripts.

I assume you are referring to my cookie script, which you want to use to set
a session cookie. This is the wrong approach. JavaScript should only be used
to set cookies for something related to JavaScript. It should not be used to
set cookies which the server will be using. If the server needs a session
cookie, then the server should be the one setting the cookie.

* Use the Pragma and Cache-Control headers to make sure that caching proxies
do not cache the page.

* Use the SetCookie header to set the cookie:
Set-Cookie: foo=bar; path=/

The browser will then send the Cookie header with every request - assuming
the user allowed the cookie to be set:
Cookie: foo=bar; someothercookie=whatever

You will need to parse the Cookie header's value (or its associated
environment variable) to retrieve the individual cookies. Someone will
already have written some utility library for you, for setting and
retrieving cookies when using Python as a CGI script. I found a great deal
of information here, along with a link to a Python cookie module:
http://www.cs.virginia.edu/~lab2q/lesson_7/

You will also need some server-side store to keep track of all the active
session IDs, and potentially which user they represent. This should be done
using a database of your choice.

Hope this clears things up.


Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/