[mod_python] Form-based authentication using mod_puthon / Apache

Daniel J. Popowich dpopowich at mtrsd.k12.ma.us
Mon Nov 24 15:10:15 EST 2003

Simon Willison writes:
> Michael C. Neel wrote:
> > ...now when we decode the cookie...
> > 
> > 1.  base64 decode it, and check our md5 sig
> > 2.  ungzip the string and parse it back to it's object/string form
> > 3.  make sure the IP, user-agent match the current request
> > 4.  make sure the timestamp is within our limit for a login
> One potential problem with checking the IP is that some people access 
> the internet through a rotating proxy, meaning that subsequent requests 
> might come from a different IP address (I've heard AOL does this). One 
> way around this would be to check that at least the first two parts of 
> the IP address stayed the same as only the last two would be likely to 
> change if a rotating proxy was in use.

But the people most likely to steal your identity through packet
sniffing are the people on your own subnet; the teenage hacker down
the street looking for a thrill.  That hacker, being on the same
subnet, would have the same network address and thus match the first
few octects of the ip addr.


More information about the Mod_python mailing list