Mod_python, jsonrpc and sessions

[p3dda.adam]

Hi,

I've got a python web-application being served by apache via
mod_python, in which the users sessions are tracked via the mod_python
Session module.
Some of websites generated contain a java-script function which starts
a jsonrpc call to the same server and gets further data or stores
something to a database (AJAX). The server-sided jsonrpc functions are
written in python as ServiceMethods.

As I need to identify the user issuing the rpc call, I'm wondering if
there is any possibility to access the session created by the
previosly called mod_python Handler-method. In mod_python it is
accessed using the mod_python request object, but in the rpc
servicemethod I don't have such an object. So how can I track the rpc
caller?

Any ideas and hints appreciated.
Peter

 

[lkcl]

Hi,

I've got a python web-application being served by apache via
mod_python, in which the users sessions are tracked via the mod_python
Session module.
Some of websites generated contain a java-script function which starts
a jsonrpc call to the same server and gets further data or stores
something to a database (AJAX). The server-sided jsonrpc functions are
written in python as ServiceMethods.

As I need to identify the user issuing the rpc call, I'm wondering if
there is any possibility to access the session created by the
previosly called mod_python Handler-method. In mod_python it is
accessed using the mod_python request object, but in the rpc
servicemethod I don't have such an object. So how can I track the rpc
caller?

the only way to store "session" info reliably is: cookies.

therefore, the code in one part of the application _will_ have to
store a session cookie as an identifier, and you can track the name of
that cookie through the source code that created it. or look in the
source code for anything beginning with the word "session". "grep -
ril" is your friend.

also, if the app stores its session authentication information in a
database, you can look through the app for the database table name.

if you don't _know_ the database table name, and are having
difficulty finding out because the design of the app is SHITE then you
can do a dump of the database _before_ a session login, and a dump
afterwards, and then diff is your friend. if the database is mysql,
add --extended-insert=no (something like that) to the mysqldump
command otherwise you will have a bitch-awful job identifying the
right line.

i've done this when working with fricking-joomla, integrating it with
django. fireboard. i had to hunt through the php code looking for
the database user-session.

once you have the session info, that's your "user tracking" function
in the rpc calls.

none of the above is particularly rocket science - or actually
anything to do with python: it's a simple matter of applying
investigative techniques logically working from how the technology
_should_ work and then bludgeoning it into submission to tell you what
the hell's going on.

l.