[mod_python] Authentification/Session Management

Lukas Trejtnar l.trejtnar at open.ac.uk
Thu Oct 28 06:40:15 EDT 2004

I tried both solutions and they don't work, unfortunately.

The first solution by Jorey Bump doesn't pass the first 
authentification. It keeps asking for a username and a password forever 
(newsession == 1 -> return apache.HTTP_UNAUTHORISED). Or did I miss 

      newsession = 0

      if req.session.is_new():
          newsession = 1
          req.session['passwd'] = passwd
          req.session['user'] = user

      if  passwd == "spam" and user == "eggs" and newsession == 0:
          return apache.OK
          return apache.HTTP_UNAUTHORIZED

The second solution by Terry MacDonald doesn't solve the problem either. 
I modified the code a bit [1) a session has to be saved every time it's 
authentified otherwise it expires after timeout period since creation 
time (not last accessed)!!! 2) I always have to assign a value to 
req.user variable otherwise Apache throws an error?!?!?.]:

def authenhandler( req ) :
	req.session = Session.Session(req, timeout=5)
	if req.session.is_new() :
		if 'spam' == req.get_basic_auth_pw() and 'eggs' == req.user  :
			req.session['user'] = req.user
			return apache.HTTP_UNAUTHORIZED
	req.user = req.session['user']
	return apache.OK

It doesn't work because when the session expires, a user is not asked 
for  a username and a password at all.

It seems that the Apache authentification procedure is executed before 
the mod_python authenhandler function is even called and its result is 
remembered for time a browser is opened.

I changed 'KepAlive' directive of the Apache config to 'Off', but it 
didn't help.

One solution would be to ask at the beginning of the authenhandler 
function if the session is already expired. Something like:

	if req.session.exists() and req.session.expired():
		return apache.HTTP_UNAUTHORISED

Unfortunately, I didn't find a way how to specify two functions 
mentioned above.

Any hint what I do wrong?


More information about the Mod_python mailing list