|
David Fraser
davidf at sjsoft.com
Wed May 19 20:58:31 EDT 2004
Presume you meant to send this to the list too... David Terry MacDonald wrote: >Looking for suggestions/ideas/implementations... > >On the subject of authentication lets assume we are using the publisher >handler and that we do not want to use basic http authentication to ask >for login details; we want our own nice login integrated into the page. > >Another requirement is to have the login page appear only when the user >wants to access certain areas/pages of the site and they are not already >logged in (all other pages are public). The 'are they' 'aren't they' >logged in can be handled by the session stuff which I understand and >have implemented elsewhere. > >Note: when not using the http basic authentication any authenhandler >specified in the python http config is NOT called. Therefore authen code >now has to be integrated into each of the the protected pages - correct? >instead of always being called before the main handler when a certain >directory is accessed. > > Yes, correct... >Anyway, question(s): > >A protected page is requested and the user has yet to login (session >check at start of page does this, yes?), so the login page is >displayed. If login is successful how do we know which of the protected >pages we should display because that information (i.e. originally >requested page) was several requests ago before a session was >established, since then we have had login information sent to us. > >Summarising, as users log in how do I display the page they originally >requested prior to the login stuff getting in the way and not some >default page as a get out clause. > > You can either serve the login page from the original URL they were accessing, or redirect them to the login page but pass a parameter indicating where to go next... Note I'm not too familiar with publisher... >Cheers > >On Wed, 2004-05-19 at 16:26, David Fraser wrote: > > >> From my experience, you'll be a lot better off doing your own thing >>with cookies (or using the mod_python session code) than trying to use >>HTTP authentication. It's just as easy to code and you have a lot more >>flexibility - HTTP authentication support in most browsers isn't really >>designed for logging out. >> >>David >> >>Diener, Edward wrote: >> >> >> >>>OK, I understand that the browser is automatically supplying the >>>authentication information to the server. Is there any way to >>>short-circuit this for a particular URL ? The only thing I can think of >>>is that since the browser is supplying authentication information on >>>subsequent attempts within a session, if I can programatically close >>>down the session, I can force the authentication dialog the next time >>>around. Is there a way to programatically close down a session from the >>>server side using mod_python ? >>> >>>Diener, Edward wrote: >>> >>> >>> >>> >>> >>>>Why would the browser hide this action from me, producing no prompt ? >>>> >>>> >>>> >>>> >>>For the sake of convenience. A browser must prompt for the login when it >>> >>>first encounters a location protected by HTTP Basic Authentication, >>>since it doesn't know the user/password. Obviously, anyone could program >>> >>>a browser that simply caches this information for later reuse, but >>>convention requires that the browser forgets this information when you >>>close it. In fact, many will offer to save these values for future use >>>(a potentially dangerous practice). >>> >>>Why is this behavior important? Pick any modern password-protected web >>>site and count the number of dependent files that must be loaded to >>>render the page, such as images, stylesheets, javascript sources, etc. >>>If your browser didn't remember your login, you would be prompted for >>>every single one of those files. The site would be practically unusable. >>>_______________________________________________ >>>Mod_python mailing list >>>Mod_python at modpython.org >>>http://mailman.modpython.org/mailman/listinfo/mod_python >>> >>>_______________________________________________ >>>Mod_python mailing list >>>Mod_python at modpython.org >>>http://mailman.modpython.org/mailman/listinfo/mod_python >>> >>> >>> >>> >>> >>_______________________________________________ >>Mod_python mailing list >>Mod_python at modpython.org >>http://mailman.modpython.org/mailman/listinfo/mod_python >> >>
|