[mod_python] Authentication

Richard Barrett R.Barrett at ftel.co.uk
Fri Aug 24 10:09:26 EST 2001 

Unfortunately there is nothing in HTTP (the protocol) that lets a server 
tell a client browser to "forget" the basic authentication credentials it 
has acquired from the user for a given Realm. And while it has those 
credentials, the client browser will continue to attach them to any request 
it makes to the server for a relevant URL.

The mistake is to view HTTP basic authentication as being a login process 
and as a consequence conclude there should be a complementary logout 
process. The authentication model for HTTP allows the server to demand some 
credentials from a user and have those credentials attached to subdsequent 
accesses to the server. If the user hasn't changed why does he need to log 
out?

As you have noted, you can trigger a re-authentication which, if the user 
cancels it, leads to the browser "forgetting" the credentials it has 
associated with the Realm. But this is the best you can do.

The only way to implement a conventional login/logout style is to use an 
HTML form to capture the login credentials, return some identification info 
in a cookie accompanying the response to the form input and specify the 
cookie so that it is attached to subsequent HTTP requests to the server. 
The advantage of this is that a logout process can, in effect, tell the 
browser to destroy cookie by setting its expiry date.

Before deciding which way to deal with this, ask yourself: why does the 
dialogue between the user and your server require a logout.

At 10:12 24/08/2001 +0200, riesch at nieuw.nl wrote:
>Hi there,
>
>
>I'm using the standard authentication now (with the authenhandler). This 
>all works fine, but I can't seem to figure out how to let a user logout. 
>I've tried to pass information about logout with the url. Something like:
>
>http://www.site.com/?logout
>
>def authenhandler(req):
>    form = util.FieldStorage(req, keep_blank_values=1)
>
>    if form.has_key(logout):
>       return apache.HTTP_UNAUTHORIZED
>
>    pw   = req.get_basic_auth_pw()
>    user = req.connection.user
>    if correct_user(user, pw):
>       return apache.OK
>    else:
>       return apache.HTTP_UNAUTHORIZED
>
>
>
>Unfortunately, this has the following effects:
>-
>The dialog pops up, even if the user is entering an area that's not 
>protected. Not a very nice sollution, but workable (perhaps)
>-
>The url stays the same, which causes that the 'form' keeps logout-key. 
>This results in repeatedly returing of HTTP_UNAUTHORIZED.
>
>
>Does anyone have experience with this, or have some hints or thoughts ?
>
>
>Thanks ahead,
>Richard

More information about the Mod_python mailing list