[mod_python] Authentification/Session Management

Jorey Bump list at joreybump.com
Thu Oct 28 20:43:17 EDT 2004

Jorey Bump wrote:

> I think we both did. Your session handling code should appear in the 
> section that handles successful authentication. Then you need to perform 
> the *authorization* step by checking the validity of the session. If 
> that test fails, you return apache.HTTP_UNAUTHORIZED (in addition to 
> returning it where authentication fails):
>  if passwd == "spam" and user == "eggs":
>      session handling/tests here
>      if passed:
>          return apache.OK
>      else:
>          return apache.HTTP_UNAUTHORIZED
>  else:
>      return apache.HTTP_UNAUTHORIZED
> Again, this is untested, and I'm no sessions guru. If I get a chance to 
> work up any usable code, I'll post it.

It seems that Session.timeout() isn't suitable for tracking inactivity, 
it merely imposes a finite lifespan on the session, regardless of last 
access (correct me if I'm wrong). Therefore, you need to set session 
variables to track time between requests. This isn't too hard. I used 
Publisher's builtin authentication instead of PythonAuthenHandler, 
because I'm more familiar with it.

The basic logic is this:

1. Set session variables when session is created.
2. For each request, look at session variables to measure inactivity.
3. If inactive too long, force user to reauthenticate.

For the last step, the session may be deleted to force session 
initialization code to run again.

To test the following, open a browser, visit the appropriate URL, 
authenticate (user=eggs, pwd=spam), hit refresh a few times, pause 
longer than 5 seconds, then hit refresh again. You should be forced to 

Tested on:

Apache 2.0.52
Python 2.3.4
mod_python 3.1.3

In httpd.conf:

   <Directory "/usr/local/apache2/htdocs">
       Order allow,deny
       Allow from all
       SetHandler python-program
       PythonHandler mod_python.publisher
       PythonDebug On

This is hello.py (visit http://localhost/hello.py/say?what=something):

from mod_python.Session import Session
import time

# restrict access to this module with basic authentication
__auth_realm__ = "Restricted"

# allow these users
def __access__(req, user):
     if user == "eggs":
         return 1
         return 0

# check user and password
def __auth__(req, user, passwd):
     if user == "eggs" and passwd == "spam":
         # user has successfully authenticated
         sess = Session(req)
         if sess.has_key('max_inactive'):
             # this is an existing session

             # check length of inactivity
             elapsed = time.time() - sess['last']

             # reset timer for next request
             sess['last'] = time.time()

             # compare elapsed inactivity to maximum allowed
             if elapsed > sess['max_inactive']:
                 # it's been too long

                 # uncomment to delete session (optional)
                 # sess.delete()

                 # force user to reauthenticate
                 return 0
                 # still within time limit

                 # allow user to continue
                 return 1
             # this must be a new session, so set session variables

             # set maximum inactivity allowed, in seconds
             # use low value for testing
             sess['max_inactive'] = 5

             # initialize timer
             sess['last'] = time.time()


             # do new session stuff here
             req.write("Session started.\n\n")

             # allow user to continue
             return 1
         # wrong user or password, force user to reauthenticate
         return 0

def say(req, what="NOTHING"):
     # all that, just to see this?
     return "I am saying %s." % what

More information about the Mod_python mailing list