|
Jorey Bump
list at joreybump.com
Thu Oct 28 20:43:17 EDT 2004
Jorey Bump wrote:
> I think we both did. Your session handling code should appear in the
> section that handles successful authentication. Then you need to perform
> the *authorization* step by checking the validity of the session. If
> that test fails, you return apache.HTTP_UNAUTHORIZED (in addition to
> returning it where authentication fails):
>
> if passwd == "spam" and user == "eggs":
> session handling/tests here
> if passed:
> return apache.OK
> else:
> return apache.HTTP_UNAUTHORIZED
> else:
> return apache.HTTP_UNAUTHORIZED
>
> Again, this is untested, and I'm no sessions guru. If I get a chance to
> work up any usable code, I'll post it.
It seems that Session.timeout() isn't suitable for tracking inactivity,
it merely imposes a finite lifespan on the session, regardless of last
access (correct me if I'm wrong). Therefore, you need to set session
variables to track time between requests. This isn't too hard. I used
Publisher's builtin authentication instead of PythonAuthenHandler,
because I'm more familiar with it.
The basic logic is this:
1. Set session variables when session is created.
2. For each request, look at session variables to measure inactivity.
3. If inactive too long, force user to reauthenticate.
For the last step, the session may be deleted to force session
initialization code to run again.
To test the following, open a browser, visit the appropriate URL,
authenticate (user=eggs, pwd=spam), hit refresh a few times, pause
longer than 5 seconds, then hit refresh again. You should be forced to
reauthenticate.
Tested on:
Apache 2.0.52
Python 2.3.4
mod_python 3.1.3
In httpd.conf:
<Directory "/usr/local/apache2/htdocs">
Order allow,deny
Allow from all
SetHandler python-program
PythonHandler mod_python.publisher
PythonDebug On
</Directory>
This is hello.py (visit http://localhost/hello.py/say?what=something):
from mod_python.Session import Session
import time
# restrict access to this module with basic authentication
__auth_realm__ = "Restricted"
# allow these users
def __access__(req, user):
if user == "eggs":
return 1
else:
return 0
# check user and password
def __auth__(req, user, passwd):
if user == "eggs" and passwd == "spam":
# user has successfully authenticated
sess = Session(req)
if sess.has_key('max_inactive'):
# this is an existing session
# check length of inactivity
elapsed = time.time() - sess['last']
# reset timer for next request
sess['last'] = time.time()
sess.save()
# compare elapsed inactivity to maximum allowed
if elapsed > sess['max_inactive']:
# it's been too long
# uncomment to delete session (optional)
# sess.delete()
# force user to reauthenticate
return 0
else:
# still within time limit
req.write("Authorized.\n\n")
# allow user to continue
return 1
else:
# this must be a new session, so set session variables
# set maximum inactivity allowed, in seconds
# use low value for testing
sess['max_inactive'] = 5
# initialize timer
sess['last'] = time.time()
sess.save()
# do new session stuff here
req.write("Session started.\n\n")
# allow user to continue
return 1
else:
# wrong user or password, force user to reauthenticate
return 0
def say(req, what="NOTHING"):
# all that, just to see this?
return "I am saying %s." % what
|