[mod_python] Form variables question

Richard Lewis richardlewis at fastmail.co.uk
Fri Mar 30 10:05:44 EST 2007 

Couple of things caught my eye

On Friday 30 March 2007 14:59, Olaf Stein wrote:
>
> I have a form (method post):
>
> <input type=text name=userid>
> <input type=text name=pw>
>
A little OT (for mod_python), but this is not well-formed HTML 4 or XHTML 1. 
You should use quote marks for attribute values and (for XHTML) <input> must 
be an empty element:

<input type="text" name="userid" />

Also note that there is an <input type="password"> element which (on most 
browsers) does not echo input. It's a nice touch ;-)

> When the form button is clicked I call a function login(req,userid,pw)
> Within this function I can use the variables userid and pw to authenticate
> a user.
>
> Is this the ideal/safest way of passing variables or are there any
> other/better mechanisms
>
This is a good way for sending general variables. But you may want a more 
secure method of sending login credentials. (If you're asking about sending 
the variables around inside your Python script, once the variables have 
arrived at the server, you can pass them around your Python script as much as 
you without any security implications.)

You can obfuscate the login details by using POST instad of GET, but this only 
means that the user can't seem them once they submit the login form. The only 
security advantage is that a near-by user can't glance at the URL on his 
neighbour's screen to get the password.

You can use SSL to send information over an encrypted connection.

You can also (and this is easiest, assuming you have access to the Apache 
configuration) use Apache's built-in authentication system. See: 
http://httpd.apache.org/docs/2.0/howto/auth.html. You can access the user 
name and password the user provided via Request.user and 
Request.get_basic_auth_pw().

See:
http://www.modpython.org/live/current/doc-html/pyapi-mprequest-mem.html#l2h-124
http://www.modpython.org/live/current/doc-html/pyapi-mprequest-meth.html#l2h-58

Cheers,
Richard
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Richard Lewis
http://www.richard-lewis.me.uk/
JID: ironchicken at jabber.earth.li
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the Mod_python mailing list