|
Graham Dumpleton
grahamd at dscpl.com.au
Fri Oct 20 07:40:25 EDT 2006
When you use HTTP Basic authentication, once the user has authenticated the credentials are stored in the web browser and supplied on each request automatically by the web browser. How long the web browser remembers those credentials depends on whether you tell the browser to remember the credentials indefinitely when presented with the login popup window. There isn't really a way of a server side application telling the web browser to forget the credentials. In terms of what you are trying to do, people do not usually use HTTP Basic authentication. Instead they used forms based login backed up by sessions on the server side to monitor sessions times and implement timeouts. So for starters, don't use HTTP Basic authentication, as it will be quite hard for you to do what you want using it. Sorry, don't have any time to go into it further. There is an old example of doing forms based login in Vampire which you can browser through at: http://svn.dscpl.com.au/vampire/trunk/examples/session/ Personally I wouldn't do it this way now as in mod_python 3.3 there are some nicer ways of doing all this. It is also tied to how Vampire works, but it still may be of interest and give you some ideas of the general principles of how it might be done. Am sure others will pipe in with suggestions as well and perhaps a simpler example. It is quite tricky to get completely right though. Graham On 20/10/2006, at 8:39 PM, durumdara wrote: > Hi ! > > I want to create a site with restricted area. > I use apache auth., but I don't know, how to controll it later. > The documentation is very laconic in this theme, and I cannot > understand, how to join/link my dbmsession based user management > with this auth. method. > > I need a restricted area that containing private informations, > pages that I don't want to show. > Apache can keep out the non-valid users. > In normal way of the login when I want to intrude to a restricted > area, a login form I get. > Then I can auth. myself, and the application is store UserID, > LoginTime, etc. > After that I can see the content I need. > > This section of my code/site I can create, because in the auth. > handler script I can login, later in the req. handler script I can > catch the username, and if I don't have specific values in Session, > I can write them into user Session. > Later I can check these values, and I can control the page view. > > BUT ! > I don't know, how to control this Apache auth. later. > If Session time expired, I need to clear the Apache auth. values > (user, pwd). If don't do this the apache auth. handler allow to > access the restricted files. > When this Apache auth. finished ? How to I force to finish/expire ? > > Or I understand something wrong ? > > Thanks for your help: > dd > > <Directory "C:/web/htdocs/club"> > AddHandler mod_python .py > PythonHandler index > PythonAuthenHandler index > PythonDebug On > AuthType Basic > AuthName "Restricted Area" > require valid-user > </Directory> > > from mod_python import apache > > def authenhandler(req): > pw = req.get_basic_auth_pw() > user = req.user > if user == "spam" and pw == "eggs": > return apache.OK > else: > return apache.HTTP_UNAUTHORIZED > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python
|