[mod_python] Form-based authentication using mod_puthon / Apache

Joao S. O. Bueno gwidion at mpc.com.br
Mon Nov 24 10:13:31 EST 2003 

Hi there.

I am actually implementing this in the very first mod python app I am 
developing.


You actually have to override the Auth Handler from apache with a 
Python Module. 

If you google for it, you will be offered a lot of ready-made session 
control stuff, as part of existing packages.

It is not, however, that hard to implement form scratch. Here is my 
.htaccess:

  AddHandler python-program .py
 PythonHandler dummy
 PythonAuthenHandler verify


As you can see, the PythonAuthenHandler is "verify.py" which is 
called. (inside it, the authenhandler() function is called)

I them encode some session data (like originating IP + user password) 
to generate a MD5 hashed cookie I send to the browser to further 
authentication. In the server, I save a session ID file with  the 
session data, and regenerate the cookie at each page load (which goes 
thru the "AuthenHandler" again) and compare it with the browser-sent 
cookie.

One thing I am still trying to find out is how to detect when the 
person navigate to another site  - in which case, the session should 
be terminated. I mean: I cannot allow that once in other site one can 
be back in the secure section by hitting "back".

As of the time, I plan to implement this thru a javascript that will 
destroy the cookie in a "unload()" event. But I would appreciate more 
suggestions.


Regards,

	JS
	-><-


On Saturday 22 November 2003 20:13, martin.clausen at privat.dk wrote:
> How do I do form-based authentication using mod_python / Apache. I
> would like to use Apaches authentication mechanism(as used in the
> mod_pyhton manual(release 3.0.3), but would like a form-based
> login/password solution instead of the pop-up - is that possible ?
>
> The only solution I have been able to find after a lot of googling
> and mailing list searches is to use javascript to prefix the login
> and password to the request from a form on a "cover" page, but
> besides from the inelegance inhenrent in this solution and the
> security risk in transmitting the password as part of the request,
> it would not prevent the pop-up from appearing if someone requested
> the login script directly.
>
> Any help is appreciated, also if the you have a solution for
> form-based authentication that does not use Apache.
>
> Regards,
>
> Martin
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

-- 

Este e-mail é, exceto pelas partes citadas
de outros e-mails, copyright(c) de João Sebastião
de Oliveira Bueno. Nenhuma cópia deste e-mail ou 
parte do mesmo pode existir nas dependências 
de, ou em posse de funcionários, de associações
protetoras de direitos autorais Brasileiras,
 dos Estados Unidos da América, ou de outros
países. Em particular essa exceção do direito
de leitura e posse deste e-mail se extende à
ABRA, ABPI, ABES, BSA, RIAA e MPAA. Violadores
estão infringindo as leis internacionais de 
direitos autorais e sujeitos às penalidades cabíveis.
Você pode re-utilizar, emendar,  acrescentar
suas palavras e citar e re-enviar qualquer 
parte do mesmo, desde que essa nota seja 
preservada e se não pertencer a alguma
das entidades supracitadas.

More information about the Mod_python mailing list