Can I use a session token instead of a session?

I've got a usecase called edit that seems to require a session since registration and keeping an OpenID / OAuth account isn't required. So I rolled my own authentication system med SHA1 that can check a password and now I want to know if I can implement the function to edit an article without bringing an own session object. Can it be done with a token that expires some way? The user needs to be "logged in" but all I have to implement is to enable edit an object and since users can be logged in just by sending an email I thin开发者_如何学Pythonk login can be done with a session token. Thanks

What you want is called a "cookie-based session" by libraries such as Beaker. Ideally, you should simply use Beaker or another library that provides such functionality, but in any case here's a lowdown on how they work:

The session data (which could just be a user identifier, or a flag indicating they have permission) is stored in a regular client-side cookie. It's optionally encrypted with a secret key, and it's stored alongside an HMAC generated using a different key. The optional encryption prevents the user from reading the data, and the HMAC ensures they can't modify it.

As a side-note, you say "registration and keeping an OpenID account isn't required", but then talk about your own authentication using SHA1 and passwords. Please bear in mind: Getting authentication right can be tricky, and few users want to sign up for another account with its own password when they could use an existing account to sign in.