[albatross-users] sessions vars question
Gabriel Cooper
gabriel.cooper at mediapulse.com
Sat Mar 12 05:29:12 EST 2005
For a secured session variable, prepend the variable name with an
underscore to avoid this. e.g. ``ctx.locals._name``
Denis Toporov wrote:
> Hello,
>
> it is very fun to work with server sessions in albatross.
> for example I have session variable 'name'
> I create local contex variable ctx.locals.name = 'username'
> Add it to session ctx.add_session_vars('name').
>
> And after it I felt myself relaxed about value stored in session
> 'name' variable.
>
> So I need this session variable value from time to time. I'm using
> RandomModularSessionAppication.
> In my code I have method:
> def process_request(ctx):
> .....
> .....
> user.name = ctx.locals.name #(I dont sure that this is correct
> way how to get session variable value)
> ....
> ....
>
> And actually this works. BUT if I add to browser request string
> something like
> http://host/mypage?name='qqqqqqq'
> <http://host/mypage?name=%27qqqqqqq%27>
>
> I have in my code that user name not 'username' any more, but
> 'qqqqqqq'.
>
> So I cannot belive that it could be so "secure" have server side
> session vars.
> It's same to store session vars in input hidden fields in browser.
>
> What's wrong with it?
>
--
__________________________________
*gabriel.cooper*@mediapulse.com <mailto:gabriel.cooper at mediapulse.com>
internet developer
865.675.4455 x32
800.380.4514
www.mediapulse.com <http://www.mediapulse.com/>
__________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.object-craft.com.au/pipermail/albatross-users/attachments/20050311/b0da2b0c/attachment.html>
More information about the Albatross-users
mailing list