Yup. I'd say that helps. Thank you. You have given me enough to go off of and do some learning. This is why I wanted to do it myself: to learn how. Thank you very much. I appreciate it greatly. I can't say with all certainty that I won't have questions regarding this in the future though... :P
On Friday, July 12, 2013 3:10:04 PM UTC-7, Jason Garber wrote: > > If you are doing a real web application, HTTP authentication is likely not > the way to go. Use a session token. If you are using a framework, they > likely already have this done. If not, here is a basic primer. > > 0. At the start of each page request, look for a SessionToken cookie. If > it is not found, then create one and send it in a cookie. This must be > secure and impossible to guess the next value. See an example at: > https://github.com/appcove/AppStruct/blob/gaps/Python/AppStruct/Security.py > > 1. Have a login page with username and password. > > 2. Post this to your WSGI app. Read the username and password from the > form post. > > 3. Look them up in your database (or dict if hardcoded). If no match, > display error, and go back to step 1. For example: > > if username in authdict and authdict[username] == password: > pass > > 4. assuming username and password match, then save that fact to a database > or memory cache like Redis. You need to save the session token, when it > expires, and what the username or user ID is. > > 5. On every page request, look up the session token in the database. If > it is found, make sure it is not expired. If not expired, then you are > good to go. Otherwise kick them back to the login page. > > --- > I'd like to add that this is really easy to think you got right only to > make a mistake. You would likely be better using a pre-built framework > that has this done. > > Also, you should really SALT and HASH your passwords. See the link above > for a way to use SHA1 to do this. Read up on it. > > -- > The threading.Local class is handy because it keeps per-thread variables > (like Session Token). > > class AppClass(threading.Local): > def __init__(self): > self.SessionToken = None > def OnRequestStart(self): > # Session cookie logic > # set self.SessionToken > > App = AppClass() > > and then in somefile.py: > > from MyProject import App > > This means that you can reference App.SessionToken safely in a > multi-threaded environment. You can do the same with other stuff like DB > connections, etc... > > > -- > Hope this helps > > > > On Fri, Jul 12, 2013 at 3:54 PM, <[email protected] <javascript:>>wrote: > >> Hi All, >> >> So I'm fairly new to web development in general. I'm quite familiar with >> the Python language, so I found mod_wsgi to be right up my alley. I've >> created an app that only I will be using from multiple locations. I have >> the app on HTTPS, without any HTTP whatsoever. I am now looking to further >> secure my page from prying eyes using some sort of authentication scheme. >> My data is not terribly sensitive, I'm just paranoid and in case I develop >> something more in the future, I'd like to know the right ways to do this. >> Basic and Digest kind of scare me, as Basic sends the username/password >> from the browsers credential cache with every request. To use Digest, >> clients and servers need to store the HA1. Which I also find to not be as >> secure as I'd like, if my comprehension of both schemes are accurate. It >> seems these both might be sufficient for a single-user page over HTTPS. But >> is there something more that Python can offer me that I can make use of >> within mod_wsgi applications? >> >> What ways can I implement authentication through wsgi? I don't mind being >> criticized, if you don't mind taking the time to school me proper. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected]<javascript:> >> . >> Visit this group at http://groups.google.com/group/modwsgi. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/groups/opt_out.
