Email conversation
From | Graham Northup |
To | Me |
Subject | Using Javascript and Python in unison |
Date | 22 April 2009 20:36 |
Hi,
I don't know if I'll have this problem will be fixed by the time you
reply...
I'm using Python as my CGI scripting language. It appeared to be
working fine, until I realized that the IP-to-user management system is
DANGEROUSLY incompatible with intranets! Using cookies seems to be the only
answer to the problem, but I need some way to get the JavaScript code you
wrote to communicate with the native Python code that works with the
run-once CGI scripts.
Any suggestions?
Thank you,
Graham Northup
From | Me |
To | Graham Northup |
Subject | Re: Using Javascript and Python in unison |
Date | 23 April 2009 09:16 |
Graham,
> I'm using Python as my CGI scripting language.
Note; JavaScript does not need to know or care what server side language you
use. The approach should be the same no matter what.
> IP-to-user management system is DANGEROUSLY incompatible
> with intranets!
Indeed, sessions should never be based solely on IP address. There are many
environments where a user can change IP address during a session; AOL, for
example, randomly sends each request through any of multiple servers, so you
can't work out the user's IP address. Dialup users could accidentally
disconnect and reconnect with a new IP address. There are also multiple
environments where many users can share a single IP address. The most
obvious is an intranet using NAT - a typical setup for corporations,
schools/universities, and there are even cases where an entire country
shares a single IP address (eg. Bahrain).
> Using cookies seems to be the only answer to the problem
There are three approaches:
* Session IDs encoded in the URL (requires every page to be dynamically
generated with the session ID held in every single URL on the page, but it's
a very convenient approach for privacy-conscious users who may deny all
cookies to prevent tracking cookies from being set):
http://example.com/foo?sessionid=j45hgf56jh4356j7hgg44365
* Session IDs held in cookies
* Logins maintained using HTTP Authentication
It depends on how you are using it as to whether the last one is
appropriate, but either of the first two will work in most situations.
> but I need some way to get the JavaScript code you wrote to
> communicate with the native Python code that works with the run-once
> CGI scripts.
I assume you are referring to my cookie script, which you want to use to set
a session cookie. This is the wrong approach. JavaScript should only be used
to set cookies for something related to JavaScript. It should not be used to
set cookies which the server will be using. If the server needs a session
cookie, then the server should be the one setting the cookie.
* Use the Pragma and Cache-Control headers to make sure that caching proxies
do not cache the page.
* Use the SetCookie header to set the cookie:
Set-Cookie: foo=bar; path=/
The browser will then send the Cookie header with every request - assuming
the user allowed the cookie to be set:
Cookie: foo=bar; someothercookie=whatever
You will need to parse the Cookie header's value (or its associated
environment variable) to retrieve the individual cookies. Someone will
already have written some utility library for you, for setting and
retrieving cookies when using Python as a CGI script. I found a great deal
of information here, along with a link to a Python cookie module:
http://www.cs.virginia.edu/~lab2q/lesson_7/
You will also need some server-side store to keep track of all the active
session IDs, and potentially which user they represent. This should be done
using a database of your choice.
Hope this clears things up.
Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/
From | Graham Northup |
To | Me |
Subject | Re: Using Javascript and Python in unison |
Date | 2 May 2009 23:02 |
Thank you,
Within maybe an hour after sending you this email, I found a line in
the serving software we are using that parses a header known as "Cookie:.
Needless to say, I was pretty overjoyed when I found out that cookies can be
sent as headers. The major system rewrite following actually pushed our
server software forward one minor version: we are now using [brand]
1.1. But thank you regardless for being so prompt in your response.
Graham