[mod_python] Form-based authentication using mod_puthon / Apache

Simon Willison cs1spw at bath.ac.uk
Mon Nov 24 13:56:15 EST 2003


Michael C. Neel wrote:
> ...now when we decode the cookie...
> 
> 1.  base64 decode it, and check our md5 sig
> 2.  ungzip the string and parse it back to it's object/string form
> 3.  make sure the IP, user-agent match the current request
> 4.  make sure the timestamp is within our limit for a login

One potential problem with checking the IP is that some people access 
the internet through a rotating proxy, meaning that subsequent requests 
might come from a different IP address (I've heard AOL does this). One 
way around this would be to check that at least the first two parts of 
the IP address stayed the same as only the last two would be likely to 
change if a rotating proxy was in use.



More information about the Mod_python mailing list