|
David Fraser
davidf at sjsoft.com
Mon Nov 24 14:25:20 EST 2003
Joao S. O. Bueno wrote: >Hi there. > >I am actually implementing this in the very first mod python app I am >developing. > > >You actually have to override the Auth Handler from apache with a >Python Module. > >If you google for it, you will be offered a lot of ready-made session >control stuff, as part of existing packages. > >It is not, however, that hard to implement form scratch. Here is my >.htaccess: > > AddHandler python-program .py > PythonHandler dummy > PythonAuthenHandler verify > > >As you can see, the PythonAuthenHandler is "verify.py" which is >called. (inside it, the authenhandler() function is called) > >I them encode some session data (like originating IP + user password) >to generate a MD5 hashed cookie I send to the browser to further >authentication. In the server, I save a session ID file with the >session data, and regenerate the cookie at each page load (which goes >thru the "AuthenHandler" again) and compare it with the browser-sent >cookie. > >One thing I am still trying to find out is how to detect when the >person navigate to another site - in which case, the session should >be terminated. I mean: I cannot allow that once in other site one can >be back in the secure section by hitting "back". > >As of the time, I plan to implement this thru a javascript that will >destroy the cookie in a "unload()" event. But I would appreciate more >suggestions. > > The questions is, what do you mean by being in another site? Someone can easily be in multiple sites at once. Maybe what you want is a timeout so if someone hasn't used their session for 10 minutes they have to log in again David > >Regards, > > JS > -><- > > >On Saturday 22 November 2003 20:13, martin.clausen at privat.dk wrote: > > >>How do I do form-based authentication using mod_python / Apache. I >>would like to use Apaches authentication mechanism(as used in the >>mod_pyhton manual(release 3.0.3), but would like a form-based >>login/password solution instead of the pop-up - is that possible ? >> >>The only solution I have been able to find after a lot of googling >>and mailing list searches is to use javascript to prefix the login >>and password to the request from a form on a "cover" page, but >>besides from the inelegance inhenrent in this solution and the >>security risk in transmitting the password as part of the request, >>it would not prevent the pop-up from appearing if someone requested >>the login script directly. >> >>Any help is appreciated, also if the you have a solution for >>form-based authentication that does not use Apache. >> >>Regards, >> >>Martin >> >>_______________________________________________ >>Mod_python mailing list >>Mod_python at modpython.org >>http://mailman.modpython.org/mailman/listinfo/mod_python >> >> > > >
|