[newbie]apache authentication questions

[nuffnough]

I have an apache 1.3.29 server that is running my website. I have
written a bunch of scripts to generate the pages from csv files which
work great.

My next thing to learn is how to get user authentication functioning
the way I need it.

I understand the steps required to make .htpaccess files work, but
this won't be enough for my purposes. I want the site to remember that
a visitor has logged in or not, and also to read a bunch of personal
info from a csv file dedicated to the userbase. (A later project will
be to convert my csv files into databases, but I am into baby steps at
the moment, so just focussing on python webiste authentication)

Ideally I would like this authentication to not be in the form of a
popup, but rather via a username/password pair of fields at some place
on the page. After authentication, this should be reaplced by some
generic "have a nice day" kinda message, or perhaps simply removed
altogether. Additionally, they will be able to alter their personal
information and doing stuff like filling in the feedback form should
mean that they don't have to enter any personal info, just fill in the
details and click the send buttopn. My experience with .htaccess files
is that they make an authentication popup, which is not what I am
aiming at.

How can I incorporate this sort of user info in the apache
authentication stuff using python?

TIA!

Nuffnnough.

 

[Steve Holden]

I have an apache 1.3.29 server that is running my website. I have
written a bunch of scripts to generate the pages from csv files which
work great.

My next thing to learn is how to get user authentication functioning
the way I need it.

I understand the steps required to make .htpaccess files work, but

that's ".htaccess", but you probably knew that.

this won't be enough for my purposes. I want the site to remember that
a visitor has logged in or not, and also to read a bunch of personal
info from a csv file dedicated to the userbase. (A later project will
be to convert my csv files into databases, but I am into baby steps at
the moment, so just focussing on python webiste authentication)

Ideally I would like this authentication to not be in the form of a
popup, but rather via a username/password pair of fields at some place
on the page. After authentication, this should be reaplced by some
generic "have a nice day" kinda message, or perhaps simply removed
altogether. Additionally, they will be able to alter their personal
information and doing stuff like filling in the feedback form should
mean that they don't have to enter any personal info, just fill in the
details and click the send buttopn. My experience with .htaccess files
is that they make an authentication popup, which is not what I am
aiming at.

How can I incorporate this sort of user info in the apache
authentication stuff using python?

In other words you want the application to authenticate the user rather
than use any of the HTTP authentication schemes.

This entails maintaining "session state", usually referenced by a
cookie, and having each page that requires authentication check that the
user's session state indicates login has already been achieved (and
hasn't been timed out). Alternatively they can verify by program that
the browser has presented correct authorization credentials, but there
seem little advantage to doing this since the server can do it for you,
and it still involved the browser pop-up you want to get rid of.

It also means that your authenticated pages must all be programmed pages
(no static content like HTML or plain text).

Since HTTP authentication is managed by the browser it's difficult to
integrate it with web application authentication: basically you have to
choose between the two. There's no way for the server to tell the
browser to start presenting the required authentication credentials
except by raising a 401 (not authorised) error response, which is what
makes the browser bring up its little popup.

I could write a book about this stuff ...

regards
Steve

 

[grahamd]

(e-mail address removed) wrote:
Since HTTP authentication is managed by the browser it's difficult to
integrate it with web application authentication: basically you have to
choose between the two. There's no way for the server to tell the
browser to start presenting the required authentication credentials
except by raising a 401 (not authorised) error response, which is what
makes the browser bring up its little popup.

It is not impossible though and in cases where you don't have a choice
but to use a HTTP authentication scheme, use of AJAX may be the
answer to still allowing use of a form based login scheme. See:

http://www.peej.co.uk/articles/http-auth-with-html-forms.html

Graham

 

[Steve Holden]

It is not impossible though and in cases where you don't have a choice
but to use a HTTP authentication scheme, use of AJAX may be the
answer to still allowing use of a form based login scheme. See:

http://www.peej.co.uk/articles/http-auth-with-html-forms.html

That's neat!

regards
Steve

 

[=?ISO-8859-1?Q?Michael_Str=F6der?=]

That's neat!

IMHO this makes things more complicated and error-prone. And it requires
Javascript. I also can't see why this is more secure than a proper
session management (using cookies or URL for passing the session ticket
around).

Ciao, Michael.

 

[Steve Holden]

IMHO this makes things more complicated and error-prone. And it requires
Javascript. I also can't see why this is more secure than a proper
session management (using cookies or URL for passing the session ticket
around).

I don't believe I said it *was* any of those things. But I am constantly
amazed at the lengths the world will go to just to prove me wrong!

regards
Steve