I am writing an HTTPS based application using Apache2 as the web server, and python as the language (not sure which framework or Apache2 mod yet). After clients (which are not web browsers) first establish an HTTPS connection to the server, they are expected to send an authentication message. If authentication is successful, they are able to send more commands, until the connection is closed (HTTP 1.1 will be used, with a long keep alive time). My question is, is it possible to have state associated with the connection? I don't want the client to have to send cookies or session ids -- the HTTPS application should be able to figure out the session based on the connection that each request belongs to...the question is how?
A:
HTTP/S is a State less protocol, so you if you don't want to have cookies maintaing the state then you must pass on the state to server each time using hidden variables or query params or some other means and take care of it in server side.
shivaspk
2009-09-12 16:29:25
I suppose I don't necessarily need the HTTP/S protocol to maintain state. All I need is some way of uniquely identifying the underlying TCP connection that Apache2 is using to handle a request.
2009-09-12 22:06:14
A:
One possible solution is using SSL_SESSION_ID, which is accessible to applications using mod_python, to uniquely identify each client. The problem with this is the ID can apparently change -- but it isn't clear to me whether it can change in the middle of a connection (which would be problematic), or only between connections (which is good -- I actually would need to enforce this behavior).
Anyway, this is the sort of thing I'm looking for, if it wasn't clear from the original question.