[mod_python] Authentication and security in general

Graham Dumpleton grahamd at dscpl.com.au
Tue Apr 25 18:57:24 EDT 2006


Dan Eloff wrote ..
> > Using cookies instead of (or in addition to) HTTP authentication
> > (Basic/Digest) is in many cases somewhat better, mainly because
> > you have better control over the browser memorizing passwords
> > and that the server can make it easy to log off a user (just try to
> > log off when using HTTP authentication).
> 
> Tell me about. I just implemented a mixed authentication system
> yesterday (wrote my own impl of basic auth protocol, because an auth
> handler wasn't working well for me) and was annoyed to discover that
> even when I logout, the browser logs me right back in. I ditched that
> now. I could have saved myself the trouble had I done my research
> better to start with.

Not perhaps relevant as suggestions are to perhaps not be using basic
authorisation, but thought the following link may be of interest:

  HTTP Authentication with HTML Forms
  http://www.peej.co.uk/articles/http-auth-with-html-forms.html

This describes how one can use HTML forms with some JavaScript
to implement basic authentication. That is, avoid the browser based
popup login window.

I presume that even though this method is used that the browser
is still remembering the credentials for subsequent requests and thus
is still not providing a logout as such.

Still interesting.

Graham


More information about the Mod_python mailing list