CGI question: safe passwords possible?

Ian Bicking ianb at colorstudy.com
Sat May 31 04:14:41 EDT 2003 

On Sat, 2003-05-31 at 03:01, Erik Max Francis wrote:
> > - .htaccess?
> > I guess to "upload a simple .htaccess" is possible, just like putting
> > .html files in ~/public_html or .py (CGI) files in ~/cgi-bin?  But
> > what do I put in that .htaccess file?
> 
> .htaccess is just an Apache configuration file that tells the server
> additional information about the directory that's being accessed and
> what to do about it (provided the Apache server is configured to inspect
> .htaccess files; this can be turned off at the server level).  If you
> were to use static HTTP authentication, you'd probably put the rules
> here; if you were to use dynamic HTTP authentication (i.e., the CGI
> script can add and remove users), then you'd probably want to do it
> yourself via the appropriate HTTP headers.

FWIW, getting access to the authentication headers yourself can be quite
difficult.  Apache does not freely pass authentication information on to
CGI scripts, for security reasons (particular with people who don't
trust each other on the same domain).  If you don't have complete
control of Apache, don't even bother trying.

However, you can do authentication in several ways in Apache. 
.htpasswd/.htaccess is one, you can also authentication off of LDAP,
MySQL, etc.  Your host may or may not have installed the appropriate
modules.

You don't have to give access rules in .htaccess (though I think you do
have to give the location of .htpasswd and maybe some other
information).  From your CGI script you can raise a 401 error, and that
will cause the browser to try to get a username and password.  Something
like:

print 'Status: 401 Authentication Required'
print 'WWW-Authenticate: Basic realm="Please enter a password'

Apache then sets an environmental variable if they successfully log in. 
This is all Apache stuff, not Python stuff, so the Apache docs are
really the next place to look.

Basic authentication, it should be noted, sends password in cleartext
(or close enough).

  Ian

More information about the Python-list mailing list