CGI question: safe passwords possible?

Erik Max Francis max at alcyone.com
Sat May 31 04:01:10 EDT 2003 

Will Stuyvesant wrote:

> - Authenticate?  HTTP Digest?
> To authenticate means something like identify?  So the server knows it
> is *the* user and not somebody else?  I have only a vague notion of
> this.

"Authentication" merely means verifying who you've got on the other end
of the connection.  That can be done in a lot of ways and for many
different purposes.  The context here is identifying a user, by him
entering a password.  The difficulty is how to do this in a manner where
the password is never transmitted plaintext over the wire (ideal
solution) or the exposure is at very least limited.

> Indeed I am on a hosted environment, so SSL is no option, as far as I
> understand...

In that case you'll probably want to go for one of the
password-minimizing schemes.  It really depends on what people are using
this password for, and how serious a concern it would be if their
password were compromised.  If it's for anything financial, anything
less than SSL will almost certainly be unacceptable.  If it's, say, for
a game, you might not really be worried about people snooping passwords,
but rather people stealing session information from someone else (i.e.,
if someone is playing and someone else uses their password, they'll know
about it; the concern is someone taking session information and using it
to register their own turns).

> I did see "Authentication:" headers in the HTTP, could that be done
> from CGI?

That's HTTP authentication, a form of authentication that's specified by
the HTTP protocol.  It, however, transmits the password plaintext over
the wire.

> - .htaccess?
> I guess to "upload a simple .htaccess" is possible, just like putting
> .html files in ~/public_html or .py (CGI) files in ~/cgi-bin?  But
> what do I put in that .htaccess file?

.htaccess is just an Apache configuration file that tells the server
additional information about the directory that's being accessed and
what to do about it (provided the Apache server is configured to inspect
.htaccess files; this can be turned off at the server level).  If you
were to use static HTTP authentication, you'd probably put the rules
here; if you were to use dynamic HTTP authentication (i.e., the CGI
script can add and remove users), then you'd probably want to do it
yourself via the appropriate HTTP headers.

-- 
   Erik Max Francis && max at alcyone.com && http://www.alcyone.com/max/
 __ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
/  \ You are inspiration to my life / You are the reason why I smile
\__/  India Arie

More information about the Python-list mailing list