[mod_python] Form variables question

Sean Davis sdavis2 at mail.nih.gov
Fri Mar 30 10:35:45 EST 2007 

On Friday 30 March 2007 11:05, Richard Lewis wrote:
> Couple of things caught my eye
>
> On Friday 30 March 2007 14:59, Olaf Stein wrote:
> > I have a form (method post):
> >
> > <input type=text name=userid>
> > <input type=text name=pw>
>
> A little OT (for mod_python), but this is not well-formed HTML 4 or XHTML
> 1. You should use quote marks for attribute values and (for XHTML) <input>
> must be an empty element:
>
> <input type="text" name="userid" />
>
> Also note that there is an <input type="password"> element which (on most
> browsers) does not echo input. It's a nice touch ;-)
>
> > When the form button is clicked I call a function login(req,userid,pw)
> > Within this function I can use the variables userid and pw to
> > authenticate a user.
> >
> > Is this the ideal/safest way of passing variables or are there any
> > other/better mechanisms
>
> This is a good way for sending general variables. But you may want a more
> secure method of sending login credentials. (If you're asking about sending
> the variables around inside your Python script, once the variables have
> arrived at the server, you can pass them around your Python script as much
> as you without any security implications.)
>
> You can obfuscate the login details by using POST instad of GET, but this
> only means that the user can't seem them once they submit the login form.
> The only security advantage is that a near-by user can't glance at the URL
> on his neighbour's screen to get the password.
>
> You can use SSL to send information over an encrypted connection.

Just a couple of other suggestions....

Or encrypt the password using javascript before sending.

> You can also (and this is easiest, assuming you have access to the Apache
> configuration) use Apache's built-in authentication system. See:
> http://httpd.apache.org/docs/2.0/howto/auth.html. You can access the user
> name and password the user provided via Request.user and
> Request.get_basic_auth_pw().

There is also digest authentication, which is more secure than basic 
authentication.

> See:
> http://www.modpython.org/live/current/doc-html/pyapi-mprequest-mem.html#l2h
>-124
> http://www.modpython.org/live/current/doc-html/pyapi-mprequest-meth.html#l2
>h-58
>
> Cheers,
> Richard

More information about the Mod_python mailing list