[mod_python] Form-based authentication using mod_puthon / Apache

Michael S. Fischer michael at dynamine.net
Mon Nov 24 11:10:44 EST 2003


Michael C. Neel wrote:

> So what can you do if you want the sexy login fields, but still be
> secure (as is possible)?  A lot of things, we may not be able to be 100%
> secure, but that doesn't mean we have to make it easy.  Here is
> something things to do (many thanks to the Albatross developers for
> showing me much of this):
> 
> 1.  Build a string or object with as much detail about the client as
> possible, (IP, user-agent, timestamp).
> 2.  take this string/object gzip it (we have a space limit)
> 3.  Sign this string with MD5 and a key only the server will ever know.
> 4.  base64 encode the signed string to make sure all characters are
> legit.
> 
> ...now when we decode the cookie...
> 
> 1.  base64 decode it, and check our md5 sig
> 2.  ungzip the string and parse it back to it's object/string form
> 3.  make sure the IP, user-agent match the current request
> 4.  make sure the timestamp is within our limit for a login

This is pretty much what the Session handling code in mod_python does 
now, so there's really no need to bother re-inventing the wheel :-)

PS - Grisha, nice job implementing the Session classes.  I couldn't have 
done it better myself, and the code is a nice example of metaclasses and 
subclassing native types that's not well covered in the Python 2.2 
documentation.  (I had to read the PEPs to understand what was going on, 
but it was a rewarding process.)

--Michael



More information about the Mod_python mailing list