|
Matt Barnicle
mattb at wageslavery.org
Tue Oct 7 18:38:51 EDT 2008
> 2008/10/7 Standa <stanislav.stipl at gmail.com>: >> Hello, >> I am trying to write an web application, where user logs to it >> with web form >> and then the mod_python application comunicates with the xmlrpc server. I >> would need either to keep persistent xmlrpc connection between >> http requests >> or store user's login and password. I have already tried to keep the login >> and password using mod_python session, but it is stored in >> unencrypted file >> on the hard disk and I don't think this would be safe enough. >> Could you help >> me? I am sory about my english.. >> >> >> Best regards, Standa > > > Have you considered hashing the password before adding it to the mod_python session? Or possibly passing some other kind of session id > to the RPC server instead of the username and password? > > Colin i think you only need to manage your state, don't you? i would use colin's advice above, and then just set a flag on the back end to track whether the user is logged in or not. you only need to authenticate the user's password once per active session, unless you want to ask them again for their password if they are trying to change the main data in their account like their contact email address or password. otherwise, use some unique hashed session id that you store in the user's cookies and store another copy of that id on the back end. if the two id's match on future requests, and the backend logged_in flag is still true, they are logged in. when they log out, remove their session cookie and destroy the backend data. - m@
|