On Mon, Jul 7, 2008 at 9:10 PM, James <[EMAIL PROTECTED]> wrote: > Hi All, > > I'm writing a web application in CherryPy. What a beautiful thing it > is to write Python code and get a simple yet powerful web output. :) > > The web application needs to have some decent level of security and > authentication implemented. > > The big issue here is that the user password is stored in a database > and algorithmically calculated as follows: > md5( md5( $password ) + salt ) )
> CherryPy obviously has a 'session' library in it. But in the periods > of time I've researched writing web applications in the past > (primarily when dealing with PHP), there was always great debate in > how to write a "good" secure web application. (i.e., it becomes tricky > when determining what precisely you should be passing around in terms > of session variables). A typical usage is to have a session cookie that is a key into some kind of server storage, e.g. a database table. The cookie itself doesn't contain any information. You might want to look at TurboGears, it uses CherryPy so it might not be too hard to migrate your code, and it includes an identity subsystem that supports user-written authentication backends. See for example http://docs.turbogears.org/1.0/GettingStartedWithIdentity http://docs.turbogears.org/1.0/IdentityRecipes?action=show&redirect=1.0%2FIdentityRecipies#authenticating-against-an-external-password-source Kent _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor