Password protection system for web app

J

Jegenye 2001 Bt

Could someone please suggest a very lightweight solution for protecting
directories on a web server? (membership system)

The job is basically this:
An administrator, after logging in via the web, should have the ability to
add/remove users who then could access their own password protected
directories only with their
browsers.

I know this could be easily done with Zope (I know that) and probably with
many other fully blown web application servers like Webware, etc. of which
there are many.
But now all I need some CGI hacks since I don't want to deploy something
heavier that that.

I've searched on www.python.org and Google but I haven't found much.

I found some Perl solutions, which work .htaccess files, and PHP thingies,
but I'd really like to hack on Python scripts but not on this part...
Either HTTP basic authentication or cookie based authentication would do.

Thanks in advance,

Miklós
 
P

Peter Hansen

Jegenye said:
Could someone please suggest a very lightweight solution for protecting
directories on a web server? (membership system)

The job is basically this:
An administrator, after logging in via the web, should have the ability to
add/remove users who then could access their own password protected
directories only with their
browsers.

That doesn't help. What is *in* these directories? Or do you mean
to use the term in the sense of "folder of files"?

More importantly: how much do you want to protect the contents from
prying eyes? Is this on a local network, and therefore considered
secure from hackers (disregarding the fact that this is never the case)?
Does it need to encrypt data going across the web? After all,
without encryption (and therefore SSL/HTTPS) dozens of people could
intercept your data and read it or the passwords.

Or is the data and application almost totally unimportant, and all
you are trying to do is prevent casual/accidental misuse of one
person's account by another?

-Peter
 
J

Jegenye 2001 Bt

Yes, folder of files.
No, I doubt any SSL/HTTPS stuff would be needed.
Though the data is not "unimportant" at all, but I think basic HTTP
authentication (.htaccess files) or cookie based protection would do just
fine.
(Btw, HTTPS is available so that could be used as well, I think. It ought
to work with either of the above, aren't I right?)
All in all, I'm after a quick (and dirty?) solution to Pythonically do the
above job. I guess I could do this relatively quickly but I don't feel like
coding this part at all.
Thanx a lot.

Best,
Miklós
 
A

Andrew Clover

Jegenye 2001 Bt said:
Could someone please suggest a very lightweight solution for protecting
directories on a web server? (membership system)

Depends on what the web server is, and how it's set up. The obvious
solution for Apache is to put mod_auth stuff in .htaccess. You can then
let Apache do both the authentication and the directory browsing.
An administrator, after logging in via the web, should have the ability to
add/remove users who then could access their own password protected
directories only with their browsers.

This can be done either by having the CGIs update the .htpasswd file
directly, or with a database password backend like mod_auth_mysql.
I know this could be easily done with Zope (I know that) and probably with
many other fully blown web application servers like Webware, etc. of which
there are many. But now all I need some CGI hacks

Doing HTTP authentication yourself with CGI has problems. Primarily, that
Apache doesn't pass the Authorization header to your scripts (unless you
recompile it with the SECURITY_HOLE_PASS_AUTHORIZATION switch). With IIS
you also have to be sure to turn all auth features off (anon access only)
and remove the default error page for 403, or auth won't work.
Either HTTP basic authentication or cookie based authentication would do.

If you can only do standard-CGI, without proper config access to the server,
cookie-based auth is probably your easiest solution, yes.
 
J

Jegenye 2001 Bt

Andrew Clover said:
Depends on what the web server is, and how it's set up. The obvious
solution for Apache is to put mod_auth stuff in .htaccess. You can then
let Apache do both the authentication and the directory browsing.
Yes, it's Apache. (Sorry, I had thought that's obvious from my mentioning
..htaccess files in my original post.) (+Linux, actually)
This can be done either by having the CGIs update the .htpasswd file
directly, or with a database password backend like mod_auth_mysql.
And to have some open sourced Python code, which does exactly that, is what
I'd be happy with..
Doing HTTP authentication yourself with CGI has problems. Primarily, that
Apache doesn't pass the Authorization header to your scripts (unless you
recompile it with the SECURITY_HOLE_PASS_AUTHORIZATION switch). With IIS
you also have to be sure to turn all auth features off (anon access only)
and remove the default error page for 403, or auth won't work.
Uh, that's valuable input, thanx for telling me. So it seems the
administering script itself cannot be protected that way..
do.

If you can only do standard-CGI, without proper config access to the server,
cookie-based auth is probably your easiest solution, yes.
Er, I'd be happy as well with some code which does this...

I really don't feeeeeeeeeeeeel like coding (and testing) this authentication
part at all, I'd just want to throw in some pre-made thinggy. ;)

Thanx a lot,
Miklós
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top