[mod_python] Form-based authentication using mod_puthon / Apache

Joao S. O. Bueno gwidion at mpc.com.br
Tue Nov 25 00:32:40 EST 2003

On Monday 24 November 2003 16:55, Michael C. Neel wrote:

> 1.  base64 decode it, and check our md5 sig
> 2.  ungzip the string and parse it back to it's object/string form
> 3.  make sure the IP, user-agent match the current request
> 4.  make sure the timestamp is within our limit for a login
> Now even if someone gets a copy of the cookie, if they don't know
> the MD5 key they can't alter it.  Most likely their ip and or
> user-agent won't match either, but if it does the odds are the
> timeout may have been reached already, esp if it's kept low like 5
> or 10 minutes.
> Mike

Wow...I got it all right without asking.
>From everything you wrote, the only thing I did not do was: encode the 
user agent string - I just used the client IP.
And I did not use GZIP because the MD5 hash has got a fixed length.

Oh..no..let's see...it is a bit different, what I had done:
1) pick up login time, client IP, server side Key, random session ID 
strings and save them server side
2) generate a MD5 hash from the above and use it as a cookie.
3) at each page load, pick the cookie, and compare it with one 
regenerated from strings saved on the server side, (and client IP). 
If there is no time out, and the hashed strings matched, serve the 

Again, I am not  using mod_python's sessions because I am restricted 
to mod_python 2.7.x for this project.



More information about the Mod_python mailing list