|
Lukas Trejtnar
l.trejtnar at open.ac.uk
Thu Oct 28 06:40:15 EDT 2004
I tried both solutions and they don't work, unfortunately.
The first solution by Jorey Bump doesn't pass the first
authentification. It keeps asking for a username and a password forever
(newsession == 1 -> return apache.HTTP_UNAUTHORISED). Or did I miss
something?
newsession = 0
if req.session.is_new():
newsession = 1
req.session['passwd'] = passwd
req.session['user'] = user
if passwd == "spam" and user == "eggs" and newsession == 0:
return apache.OK
else:
return apache.HTTP_UNAUTHORIZED
The second solution by Terry MacDonald doesn't solve the problem either.
I modified the code a bit [1) a session has to be saved every time it's
authentified otherwise it expires after timeout period since creation
time (not last accessed)!!! 2) I always have to assign a value to
req.user variable otherwise Apache throws an error?!?!?.]:
def authenhandler( req ) :
req.session = Session.Session(req, timeout=5)
if req.session.is_new() :
if 'spam' == req.get_basic_auth_pw() and 'eggs' == req.user :
req.session['user'] = req.user
#req.session.save()
else:
return apache.HTTP_UNAUTHORIZED
req.user = req.session['user']
req.session.save()
return apache.OK
It doesn't work because when the session expires, a user is not asked
for a username and a password at all.
It seems that the Apache authentification procedure is executed before
the mod_python authenhandler function is even called and its result is
remembered for time a browser is opened.
I changed 'KepAlive' directive of the Apache config to 'Off', but it
didn't help.
One solution would be to ask at the beginning of the authenhandler
function if the session is already expired. Something like:
if req.session.exists() and req.session.expired():
return apache.HTTP_UNAUTHORISED
Unfortunately, I didn't find a way how to specify two functions
mentioned above.
Any hint what I do wrong?
Thanks,
Lukas
|