Sane

Yay! I got it setup here: http://o2jamrecall.dyndns.info:8080/

When I have the python console running, it says the IP address of everyone who accesses any page. Is there any way to grab that IP address? I need it to create a log of sessions by mapping the username to something as unique as an IP address. (I'm aware PyCherry has built in Sessions, but I'd like to have control over their functionality)

And how do I get rid of that "Build Time, Page Size". o_o;; Right now I just cheated by making the color white and the text small.

Arevos

IP addresses aren't that unique. Everyone behind a NAT will have the same IP address, and IPs from dialup internet connections change regularly. If you want extra security, it's usually best to use IP addresses in conjunction with session cookies; ie. a person must have the same recorded IP and the same session ID to continue.

But, if you want the IP, I suggest looking at the cherrypy.request object (in the documentation I linked to, it calls it the cpg.request object; ignore this, with 2.1 it's been changed to cherrypy.request)
That's handled in the configuration file. This page explains how to use the configuration system.

The Build Time thingy is part of the Log debug filter. To disable it, make a config file like so:
The global section says to CherryPy that you want to apply this value to all pages. Note also that "False" needs a capital letter at the beginning, as in Python; "false" won't work.

To load this configuration file:
Configuration can also be specified as a dictionary:
It also might be an idea to change the server's port to "80", which is the standard HTTP port (CherryPy uses port 8080 by default):
This will mean people will be able to access your site through: http://o2jamrecall.dyndns.info/

Arevos

Surely you could make changes to any data on a remote server via FTP, SSH, or a SQL interface like phpMyAdmin?
True; you can only be completely sure of security if you're hosting it yourself.

Sane

Wow! Thanks again for all the usefull information! But if I'm going to do session IDs I would need to save that sessionID to the user who logged in's computer, correct? Is there a way I can do this?

Cerulean

Exactly. If you use Konqueror as your file manager you can use the fish KIO slave to make the fact you're working on a remote filesystem via SSH completely transparent.
Not sure about that one. On the server they have backups (or you can setup your own) and make it their duty to not lose your stuff. Plus the people that host it are qualified technicians that know how to secure a webserver. I'd say it's much more secure than on your local computer.

You make the session session ID and then either
a) Append that session ID to all links for your current domain
b) Put it in a cookie
Method b) technically does write to their computer. You then read the session ID and do whatever accordingly.

Arevos

I'm not quite sure what you want to do. If you want to match a person to an account, then the only way to ensure this match is through some manner of username/password.

You can also make your session cookie have an extremely long expiry date, essentially making it indefinite. Google does this; it's cookie will only expire in 2038. However, you can't guarentee that the user won't wipe their cookie cache, or use another browser.

What exactly do you want to achieve?

Arevos

Sure, the servers of an average web host are likely to be more secure than your average home computer. But if you're hosting it with someone else, you have to trust them with your data, unless you're going to encrypt and decrypt the data at the client end. So how secure a webserver is is limited by how far you trust them. If you set up a webserver yourself, then you can potentially make it as secure as you like.

Besides, it doesn't take too much effort to secure a website nowadays. With a bit of knowledge and some spare time, you can easily host a site that is just as secure as the vast majority of webservers. And if you're willing to take the time setting up security tools such as SELinux or Tripwire, then you can host a site that is amongst the most secure on the web.

Dameon

...and with a fraction of the bandwidth, too!

__________________
MD5(sig) = bcef75433db02e9ad9bf81d6f7c5c270

Sane

Okay, I'm fairly sure I've got this working very well.

Care testing it? I'm logged in right now under the username Saney, IP 70.49.132.3
Try to hijack my session. You'll know you're logged in when you know longer see the two forms at the top of the page, and you're able to access http://jammersbase.dyndns.org/modifyscores

Here's the site http://jammersbase.dyndns.org/

Yes, I know it looks quite welfare, but I'm still developing framwork here.

Arevos

Looks good so far - though the HTML is missing <html> tags, a <head> and a <body>. You might want to try out a templating system with CherryPy if you're not already; separating HTML and Python code is usually a good idea.

What does the login system use? An SQL query? It seems happily immune from injection attacks, so that's good news

Does the login system use sessions, and check security by ensuring the IP address is the same, or is it entirely IP address based?