[newbie]apache authentication questions

Steve Holden steve at holdenweb.com
Mon Jun 12 18:44:04 EDT 2006 

nuffnough at gmail.com wrote:
> I have an apache 1.3.29 server that is running my website.  I have
> written a bunch of scripts to generate the pages from csv files which
> work great.
> 
> My next thing to learn is how to get user authentication functioning
> the way I need it.
> 
> I understand the steps required to make .htpaccess files work,  but

that's ".htaccess", but you probably knew that.

> this won't be enough for my purposes.  I want the site to remember that
> a visitor has logged in or not,  and also to read a bunch of personal
> info from a csv file dedicated to the userbase.  (A later project will
> be to convert my csv files into databases,  but I am into baby steps at
> the moment, so just focussing on python webiste authentication)
> 
> Ideally I would like this authentication to not be in the form of a
> popup,  but rather via a username/password pair of fields at some place
> on the page.  After authentication,  this should be reaplced by some
> generic "have a nice day" kinda message,  or perhaps simply removed
> altogether.  Additionally, they will be able to alter their personal
> information and doing stuff like filling in the feedback form should
> mean that they don't have to enter any personal info, just fill in the
> details and click the send buttopn.  My experience with .htaccess files
> is that they make an authentication popup,  which is not what I am
> aiming at.
> 
> How can I incorporate this sort of user info in the apache
> authentication stuff using python?
> 
In other words you want the application to authenticate the user rather 
than use any of the HTTP authentication schemes.

This entails maintaining "session state", usually referenced by a 
cookie, and having each page that requires authentication check that the 
user's session state indicates login has already been achieved (and 
hasn't been timed out). Alternatively they can verify by program that 
the browser has presented correct authorization credentials, but there 
seem little advantage to doing this since the server can do it for you, 
and it still involved the browser pop-up you want to get rid of.

It also means that your authenticated pages must all be programmed pages 
(no static content like HTML or plain text).

Since HTTP authentication is managed by the browser it's difficult to 
integrate it with web application authentication: basically you have to 
choose between the two. There's no way for the server to tell the 
browser to start presenting the required authentication credentials 
except by raising a 401 (not authorised) error response, which is what 
makes the browser bring up its little popup.

I could write a book about this stuff ...

regards
  Steve
-- 
Steve Holden       +44 150 684 7255  +1 800 494 3119
Holden Web LLC/Ltd          http://www.holdenweb.com
Love me, love my blog  http://holdenweb.blogspot.com
Recent Ramblings     http://del.icio.us/steve.holden

More information about the Python-list mailing list