If you are doing a real web application, HTTP authentication is likely not the way to go. Use a session token. If you are using a framework, they likely already have this done. If not, here is a basic primer.
0. At the start of each page request, look for a SessionToken cookie. If it is not found, then create one and send it in a cookie. This must be secure and impossible to guess the next value. See an example at: https://github.com/appcove/AppStruct/blob/gaps/Python/AppStruct/Security.py 1. Have a login page with username and password. 2. Post this to your WSGI app. Read the username and password from the form post. 3. Look them up in your database (or dict if hardcoded). If no match, display error, and go back to step 1. For example: if username in authdict and authdict[username] == password: pass 4. assuming username and password match, then save that fact to a database or memory cache like Redis. You need to save the session token, when it expires, and what the username or user ID is. 5. On every page request, look up the session token in the database. If it is found, make sure it is not expired. If not expired, then you are good to go. Otherwise kick them back to the login page. --- I'd like to add that this is really easy to think you got right only to make a mistake. You would likely be better using a pre-built framework that has this done. Also, you should really SALT and HASH your passwords. See the link above for a way to use SHA1 to do this. Read up on it. -- The threading.Local class is handy because it keeps per-thread variables (like Session Token). class AppClass(threading.Local): def __init__(self): self.SessionToken = None def OnRequestStart(self): # Session cookie logic # set self.SessionToken App = AppClass() and then in somefile.py: from MyProject import App This means that you can reference App.SessionToken safely in a multi-threaded environment. You can do the same with other stuff like DB connections, etc... -- Hope this helps On Fri, Jul 12, 2013 at 3:54 PM, <[email protected]> wrote: > Hi All, > > So I'm fairly new to web development in general. I'm quite familiar with > the Python language, so I found mod_wsgi to be right up my alley. I've > created an app that only I will be using from multiple locations. I have > the app on HTTPS, without any HTTP whatsoever. I am now looking to further > secure my page from prying eyes using some sort of authentication scheme. > My data is not terribly sensitive, I'm just paranoid and in case I develop > something more in the future, I'd like to know the right ways to do this. > Basic and Digest kind of scare me, as Basic sends the username/password > from the browsers credential cache with every request. To use Digest, > clients and servers need to store the HA1. Which I also find to not be as > secure as I'd like, if my comprehension of both schemes are accurate. It > seems these both might be sufficient for a single-user page over HTTPS. But > is there something more that Python can offer me that I can make use of > within mod_wsgi applications? > > What ways can I implement authentication through wsgi? I don't mind being > criticized, if you don't mind taking the time to school me proper. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/groups/opt_out.
