[mod_python] Lama - I don't understand basic auth...

Graham Dumpleton grahamd at dscpl.com.au
Fri Oct 20 07:40:25 EDT 2006

When you use HTTP Basic authentication, once the user has authenticated
the credentials are stored in the web browser and supplied on each  
automatically by the web browser. How long the web browser remembers
those credentials depends on whether you tell the browser to remember
the credentials indefinitely when presented with the login popup window.
There isn't really a way of a server side application telling the web  
to forget the credentials.

In terms of what you are trying to do, people do not usually use HTTP  
authentication. Instead they used forms based login backed up by  
on the server side to monitor sessions times and implement timeouts.

So for starters, don't use HTTP Basic authentication, as it will be  
quite hard
for you to do what you want using it.

Sorry, don't have any time to go into it further. There is an old  
example of
doing forms based login in Vampire which you can browser through at:


Personally I wouldn't do it this way now as in mod_python 3.3 there  
are some
nicer ways of doing all this. It is also tied to how Vampire works,  
but it still may
be of interest and give you some ideas of the general principles of  
how it might
be done. Am sure others will pipe in with suggestions as well and  
perhaps a
simpler example. It is quite tricky to get completely right though.


On 20/10/2006, at 8:39 PM, durumdara wrote:

> Hi !
> I want to create a site with restricted area.
> I use apache auth., but I don't know, how to controll it later.
> The documentation is very laconic in this theme, and I cannot  
> understand, how to join/link my dbmsession based user management  
> with this auth. method.
> I need a restricted area that containing private informations,  
> pages that I don't want to show.
> Apache can keep out the non-valid users.
> In normal way of the login when I want to intrude to a restricted  
> area, a login form I get.
> Then I can auth. myself, and the application is store UserID,  
> LoginTime, etc.
> After that I can see the content I need.
> This section of my code/site I can create, because in the auth.  
> handler script I can login, later in the req. handler script I can  
> catch the username, and if I don't have specific values in Session,  
> I can write them into user Session.
> Later I can check these values, and I can control  the page view.
> BUT !
> I don't know, how to control this Apache auth. later.
> If Session time expired, I need to clear the Apache auth. values  
> (user, pwd). If don't do this the apache auth. handler allow to  
> access the restricted files.
> When this Apache auth. finished ? How to I force to finish/expire ?
> Or I understand something wrong ?
> Thanks for your help:
>    dd
> <Directory "C:/web/htdocs/club">
>    AddHandler mod_python .py
>    PythonHandler index
>    PythonAuthenHandler index
>    PythonDebug On
>    AuthType Basic
>    AuthName "Restricted Area"
>    require valid-user
> </Directory>
> from mod_python import apache
> def authenhandler(req):
>    pw = req.get_basic_auth_pw()
>    user = req.user
>    if user == "spam" and pw == "eggs":
>       return apache.OK
>    else:
>       return apache.HTTP_UNAUTHORIZED
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list