Python for Entrepreneurs Transcripts
Chapter: User accounts and identity
Lecture: Demo: Making the cookie tamper-proof

Login or purchase this course to watch this video and the rest of the course contents.
0:01 Let's come back and look at this cookie values
0:04 that were working with this hash, and the hash is already better
0:06 than just having the user id but we can do a lot better,
0:09 so let me write a function to say given a user id, I am going to get the hash
0:13 because I we've got to do it there, and down here we've got to do it again,
0:16 and we don't want to do this more than once, so I can hit Ctrl+T to refactor,
0:20 extract the method, hide it from the importers, so I'll say double underscore,
0:24 so this will be hash hash text or something like that.
0:29 OK, and so this will be, we'll just call this text as the input value here,
0:33 so of course, we want to add some salt to this
0:38 so that you can't just take the user name or the user id rather
0:42 and then hash it and see what comes out.
0:44 So, this salt, we're not going to share with anybody, we'll just say
0:47 "we want this to be something simple for now", saltiness for the text,
0:55 OK, so what we are going to hash is actually that string which is going to generate
1:01 an absolutely different hash than just the user id
1:04 which we're putting in the front part of this thing, OK.
1:07 And so, we are going to change the text and we are going to send it back.
1:09 Now this is actually going to be a nice little test, because we already have a cookie
1:13 with this incorrect value here, so it should let us sort of do this detect,
1:17 we should print a "Warning: Hash mismatch" and it will treat us as if we're not logged in.
1:21 OK, we also need to in order for that to work, call the right function here,
1:26 so here is where we do the check,
1:30 here is where we do the original generation, let's see what we get.
1:36 Now if I come over here, the only page right now checking is account
1:39 so hit this and it says you must sign in even though it's authenticated.
1:43 Why? Because the hash did not match, it was invalid,
1:46 but of course, if I do sign in, now we should have this new one,
1:51 we've signed in, now that's replace that cookie, everything is good.
1:54 So the last thing we need to do is allow a user to sign out,
1:59 as well as maybe we want to indicate up here
2:02 instead sign in flip that to log out, instead of register, maybe a link to view our page.
2:06 So we are going to come back and look at that next.