Python for Entrepreneurs Transcripts
Chapter: User accounts and identity
Lecture: Demo: Making the cookie tamper-proof
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
Let's come back and look at this cookie values that were working with this hash, and the hash is already better
0:07
than just having the user id but we can do a lot better, so let me write a function to say given a user id, I am going to get the hash
0:14
because I we've got to do it there, and down here we've got to do it again,
0:17
and we don't want to do this more than once, so I can hit Ctrl+T to refactor,
0:21
extract the method, hide it from the importers, so I'll say double underscore, so this will be hash hash text or something like that.
0:30
OK, and so this will be, we'll just call this text as the input value here, so of course, we want to add some salt to this
0:39
so that you can't just take the user name or the user id rather and then hash it and see what comes out.
0:45
So, this salt, we're not going to share with anybody, we'll just say "we want this to be something simple for now", saltiness for the text,
0:56
OK, so what we are going to hash is actually that string which is going to generate an absolutely different hash than just the user id
1:05
which we're putting in the front part of this thing, OK. And so, we are going to change the text and we are going to send it back.
1:10
Now this is actually going to be a nice little test, because we already have a cookie
1:14
with this incorrect value here, so it should let us sort of do this detect,
1:18
we should print a "Warning: Hash mismatch" and it will treat us as if we're not logged in.
1:22
OK, we also need to in order for that to work, call the right function here, so here is where we do the check,
1:31
here is where we do the original generation, let's see what we get. Now if I come over here, the only page right now checking is account
1:40
so hit this and it says you must sign in even though it's authenticated. Why? Because the hash did not match, it was invalid,
1:47
but of course, if I do sign in, now we should have this new one, we've signed in, now that's replace that cookie, everything is good.
1:55
So the last thing we need to do is allow a user to sign out, as well as maybe we want to indicate up here
2:03
instead sign in flip that to log out, instead of register, maybe a link to view our page. So we are going to come back and look at that next.