[Tutor] python + http authentication (with cherrypy)
Kent Johnson
kent37 at tds.net
Tue Jul 8 03:54:13 CEST 2008
On Mon, Jul 7, 2008 at 9:10 PM, James <jtp at nc.rr.com> wrote:
> Hi All,
>
> I'm writing a web application in CherryPy. What a beautiful thing it
> is to write Python code and get a simple yet powerful web output. :)
>
> The web application needs to have some decent level of security and
> authentication implemented.
>
> The big issue here is that the user password is stored in a database
> and algorithmically calculated as follows:
> md5( md5( $password ) + salt ) )
> CherryPy obviously has a 'session' library in it. But in the periods
> of time I've researched writing web applications in the past
> (primarily when dealing with PHP), there was always great debate in
> how to write a "good" secure web application. (i.e., it becomes tricky
> when determining what precisely you should be passing around in terms
> of session variables).
A typical usage is to have a session cookie that is a key into some
kind of server storage, e.g. a database table. The cookie itself
doesn't contain any information.
You might want to look at TurboGears, it uses CherryPy so it might not
be too hard to migrate your code, and it includes an identity
subsystem that supports user-written authentication backends. See for
example
http://docs.turbogears.org/1.0/GettingStartedWithIdentity
http://docs.turbogears.org/1.0/IdentityRecipes?action=show&redirect=1.0%2FIdentityRecipies#authenticating-against-an-external-password-source
Kent
More information about the Tutor
mailing list