Apress Foundations of Python Network Programming 3rd (2014) by unknow

Author:unknow
Format: epub

HTTP/1.1 200 OK

Set-Cookie: session-id=d41d8cd98f00b204e9800998ecf8427e; Path=/

...

When making all further requests to that particular server, the client includes that name and value in a Cookie header.

GET /login HTTP/1.1

Cookie: session-id=d41d8cd98f00b204e9800998ecf8427e

...

This made site-generated login pages possible. When a login form is submitted with invalid credentials, the server can present it again with as many helpful hints or support links as it pleases, all styled exactly like the rest of the site. Once the form is submitted correctly, it can grant the client a cookie that is specially crafted to convince the site of the user’s identity during all subsequent requests.

More subtly, a login page that is not a true web form but that uses Ajax to stay on the same page (see Chapter 11) can still enjoy the benefit of cookies if the API lives at the same hostname. When the API call to do the login confirms the username and password and returns 200 OK along with a Cookie header, it is empowering all subsequent requests to the same site—not just API calls but requests for pages, images, and data—to supply the cookie and be recognized as coming from an authenticated user.

Note that cookies should be designed to be opaque. They should be either random UUID strings that lead the server to a database record giving the real username or encrypted strings that the server alone can decrypt to learn user identity. If they were user-parsable—if, for example, a cookie had the value THIS-USER-IS-brandon—then a clever user could edit the cookie to produce a forged value and submit it with their next request to impersonate some other user whose username they knew or were able to guess.

Real-world Set-Cookie headers can be much more complicated than the example given, as described at length in RFC 6265. I should mention the secure attribute. It instructs the HTTP client not to present the cookie when making unencrypted requests to the site. Without this attribute, a cookie could be exposed, allowing anyone else sharing the coffee-shop wi-fi with a user to learn the cookie’s value and use it to impersonate the user. Some web sites give you a cookie simply for visiting. This lets them track your visit as you move around the site. The history collected can already be used to target ads as you browse and then can be copied into your permanent account history if you later log in with a username.

Many user-directed HTTP services will not operate without cookies keeping track of your identity and proving that you have authenticated. Tracking cookies with urllib requires object orientation; please read its documentation. Tracking cookies in Requests happens automatically if you create, and consistently use, a Session object.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.