On Tue, 3 Sep 2002, Adrien Plisson wrote:
>From: "Rimon Barr" <barr@...>
>> This will work, yes. But why not just insert your code
>> #some module inits here...
>> into the start() function? Both the __init__() and the start() methods are
>> called at the beginning of *each* request.
>because of the question which followed this one. I was thinking __init__ was
>called only once at module startup, and start at request processing. so i
>was looking at initializing a db connection for this module in __init__ and
>creating a new cursor on this connection at each request. but i can't...
I'm beginning to think (from this email, and from our numerous private
emails) that what you are looking for is application-level or server-level
hooks. Many of your questions seem to revolve around this same theme. You
want to load some module into the server before a page request even occurs
to perform initialization. You want to have a one-time module
initialization, even before a request. You want to set global server
variables... (The latter, by the way, can often be replaced with a simple,
static include of some file that defines your "constant" values, but the
point is still well taken.)
Perhaps we do need some sort of server-level or application-level
configuration file. I'm currently thinking that an application would map
onto a directory, and you would have a spyce.conf in that directory, but
that's not certain. Perhaps you would want to have some other mapping. I
need to see what is done in Tomcat, Webware, PHP and other environments
first, before making a design decision. And, as we have discussed, perhaps
we should add a spyce.conf in a well-known server location (such as /etc
or c:\program files\spyce or in the registry) where we define things such
as: - modules to load at server startup - the module path - global
server variables - other things, such as the size of the in-memory spyce
>i'm trying to get an authentication module (which can also act as a
>secure session module). i started writing this feature entirely from
>mod_python, some months ago, and now, i would like to see it in my spyce
>script. since mod_python does not have any kind of session handling
>mechanism, and since the way this authentication is done is very specific
>to the website i'm creating, i had to code it myself. from spyce, i could
>have used the session module, but many things were missing there.
Tell me which things... Perhaps they are general-purpose things that
should be added to the standard module library.
>the principle is to authenticate someone once, with a login and password
>given in a POST request. i then generate a unique cookie which will
>authenticate this user on this connection for each subsequent request.
>the generated cookie and all informations associated with it are stored
>in a database, which is queried each time we want to verify the validity
>of the cookie. The verification is done by comparing as much information
>as possible given the request and the informations stored in the database
>(login, ip, last access time, cookie generation time...). This is very
>restrictive, and i hope as much secure aspossible (it seems the cookie
>cannot be 'faked', but it has to be verified...).
This seems reasonable for very light security, although I can think of
simple scenarios when this can be broken. Let's say both you and I are
behind a IP-masquerading gateway. I sniff the network for your network
packets and reconstruct your TCP/IP stream with the HTTP request. From
this I steal your "secure" cookie. Now, I have your cookie and the same IP
address. There are also other ways to fake an IP address or to steal your
cookie information. However, discussion is tangential to Spyce...
>this module is built for authentication, but the principle can be applied
>for session management with a database. it also leads me to think about
>the session module (standard spyce session module) and how it can be
>improved to be more generic and more user-configurable. but this is for a
Looking forward to those suggestions.
All the best,
* Rimon Barr Ph.D. candidate, Computer Science, Cornell University
| barr@... - http://www.cs.cornell.edu/barr - Y!IM: batripler
| Understanding is a kind of ecstasy.
+---- -- Carl Sagan