[mod_python] Authentication and security in general

Dan Eloff dan.eloff at gmail.com
Wed Apr 26 11:33:44 EDT 2006


On 4/25/06, Joshua Ginsberg <listspam at flowtheory.net> wrote:
> My suggestion then is that you encrypt in your database the personal
> information about people where the key is the SHA1 digest of the user's
> password. Make sure, of course, when you store their password, it is
> stored using a different family of hashing algorithm. Then when you need
> access to their personal information (e.g. credit card information)
> prompt them for their password again and use it to decrypt their record.

I wish I could do that, but my website needs access to that
information while the user is not online, so I can't encrypt it.
However, things like credit cards I can encrypt (and wouldn't feel
safe storing them without doing that)

> Generally good practice. It takes some care to ensure that possession of
> the insecure SID does not gain the user access to the secure SID or any
> information that the secure SID is required for.
>

Yes, I use a single handler as a dispatcher for my site, so I'm going
to put the logic in there before control get's passed onto the rest of
the site. If req.uri begins with /secure they will get redirected to
the login screen unless the secure session cookie exists and passes
the tests. Then It's just up to me to put everything important in the
/secure directory.

>
> Investigate the SSLRequireSSL directive.
>

Thanks!

-Dan



More information about the Mod_python mailing list