[Tutor] python + http authentication (with cherrypy)
Reed O'Brien
reed at reedobrien.com
Tue Jul 8 03:48:20 CEST 2008
On Jul 7, 2008, at 9:10 PM, James wrote:
> Hi All,
>
> I'm writing a web application in CherryPy. What a beautiful thing it
> is to write Python code and get a simple yet powerful web output. :)
>
> The web application needs to have some decent level of security and
> authentication implemented.
>
> The big issue here is that the user password is stored in a database
> and algorithmically calculated as follows:
> md5( md5( $password ) + salt ) )
>
>
> The salt is also stored in the database (which I have full access to).
> I can easily use the md5 library to compare what a user gives me and
> see if that's the correct password (based on the salt and the stored
> password in the database). I'm unsure, however, how to go about
> implementing security into my web application.
I had to do some stuff with salted hashed passwords a few months back
and noted some stuff here:
http://reedobrien.blogspot.com/2008/01/seeded-salted-sha-passwords.html
md5 hash length would be 16 instead of sha's 20 IIRC... but otherwise
I hope it helps you.
>
>
> CherryPy obviously has a 'session' library in it. But in the periods
> of time I've researched writing web applications in the past
> (primarily when dealing with PHP), there was always great debate in
> how to write a "good" secure web application. (i.e., it becomes tricky
> when determining what precisely you should be passing around in terms
> of session variables).
>
> Thoughts? Am I going about this the wrong way? It would be much easier
> to use either digest or basic http authentication mechanisms, but I
> don't think that this is possible because of the fact that the
> password is double-hashed in the database (or am I wrong?).
>
> Any help appreciated. :o)
>
> -j
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
More information about the Tutor
mailing list