Password protection system for web app

Discussion in 'Python' started by Jegenye 2001 Bt, Oct 12, 2003.

  1. Could someone please suggest a very lightweight solution for protecting
    directories on a web server? (membership system)

    The job is basically this:
    An administrator, after logging in via the web, should have the ability to
    add/remove users who then could access their own password protected
    directories only with their
    browsers.

    I know this could be easily done with Zope (I know that) and probably with
    many other fully blown web application servers like Webware, etc. of which
    there are many.
    But now all I need some CGI hacks since I don't want to deploy something
    heavier that that.

    I've searched on www.python.org and Google but I haven't found much.

    I found some Perl solutions, which work .htaccess files, and PHP thingies,
    but I'd really like to hack on Python scripts but not on this part...
    Either HTTP basic authentication or cookie based authentication would do.

    Thanks in advance,

    Miklós
     
    Jegenye 2001 Bt, Oct 12, 2003
    #1
    1. Advertising

  2. Jegenye 2001 Bt

    Peter Hansen Guest

    Jegenye 2001 Bt wrote:
    >
    > Could someone please suggest a very lightweight solution for protecting
    > directories on a web server? (membership system)
    >
    > The job is basically this:
    > An administrator, after logging in via the web, should have the ability to
    > add/remove users who then could access their own password protected
    > directories only with their
    > browsers.


    That doesn't help. What is *in* these directories? Or do you mean
    to use the term in the sense of "folder of files"?

    More importantly: how much do you want to protect the contents from
    prying eyes? Is this on a local network, and therefore considered
    secure from hackers (disregarding the fact that this is never the case)?
    Does it need to encrypt data going across the web? After all,
    without encryption (and therefore SSL/HTTPS) dozens of people could
    intercept your data and read it or the passwords.

    Or is the data and application almost totally unimportant, and all
    you are trying to do is prevent casual/accidental misuse of one
    person's account by another?

    -Peter
     
    Peter Hansen, Oct 14, 2003
    #2
    1. Advertising

  3. Yes, folder of files.
    No, I doubt any SSL/HTTPS stuff would be needed.
    Though the data is not "unimportant" at all, but I think basic HTTP
    authentication (.htaccess files) or cookie based protection would do just
    fine.
    (Btw, HTTPS is available so that could be used as well, I think. It ought
    to work with either of the above, aren't I right?)
    All in all, I'm after a quick (and dirty?) solution to Pythonically do the
    above job. I guess I could do this relatively quickly but I don't feel like
    coding this part at all.
    Thanx a lot.

    Best,
    Miklós


    Peter Hansen <> wrote in message
    news:...
    > Jegenye 2001 Bt wrote:
    > >

    >
    > That doesn't help. What is *in* these directories? Or do you mean
    > to use the term in the sense of "folder of files"?
    >
    > More importantly: how much do you want to protect the contents from
    > prying eyes? Is this on a local network, and therefore considered
    > secure from hackers (disregarding the fact that this is never the case)?
    > Does it need to encrypt data going across the web? After all,
    > without encryption (and therefore SSL/HTTPS) dozens of people could
    > intercept your data and read it or the passwords.
    >
    > Or is the data and application almost totally unimportant, and all
    > you are trying to do is prevent casual/accidental misuse of one
    > person's account by another?
    >
    > -Peter
     
    Jegenye 2001 Bt, Oct 14, 2003
    #3
  4. "Jegenye 2001 Bt" <> wrote:

    > Could someone please suggest a very lightweight solution for protecting
    > directories on a web server? (membership system)


    Depends on what the web server is, and how it's set up. The obvious
    solution for Apache is to put mod_auth stuff in .htaccess. You can then
    let Apache do both the authentication and the directory browsing.

    > An administrator, after logging in via the web, should have the ability to
    > add/remove users who then could access their own password protected
    > directories only with their browsers.


    This can be done either by having the CGIs update the .htpasswd file
    directly, or with a database password backend like mod_auth_mysql.

    > I know this could be easily done with Zope (I know that) and probably with
    > many other fully blown web application servers like Webware, etc. of which
    > there are many. But now all I need some CGI hacks


    Doing HTTP authentication yourself with CGI has problems. Primarily, that
    Apache doesn't pass the Authorization header to your scripts (unless you
    recompile it with the SECURITY_HOLE_PASS_AUTHORIZATION switch). With IIS
    you also have to be sure to turn all auth features off (anon access only)
    and remove the default error page for 403, or auth won't work.

    > Either HTTP basic authentication or cookie based authentication would do.


    If you can only do standard-CGI, without proper config access to the server,
    cookie-based auth is probably your easiest solution, yes.

    --
    Andrew Clover
    mailto:
    http://www.doxdesk.com/
     
    Andrew Clover, Oct 14, 2003
    #4
  5. Andrew Clover <> wrote in message
    news:...
    > "Jegenye 2001 Bt" <> wrote:
    >
    > > Could someone please suggest a very lightweight solution for protecting
    > > directories on a web server? (membership system)

    >
    > Depends on what the web server is, and how it's set up. The obvious
    > solution for Apache is to put mod_auth stuff in .htaccess. You can then
    > let Apache do both the authentication and the directory browsing.
    >

    Yes, it's Apache. (Sorry, I had thought that's obvious from my mentioning
    ..htaccess files in my original post.) (+Linux, actually)

    >
    > This can be done either by having the CGIs update the .htpasswd file
    > directly, or with a database password backend like mod_auth_mysql.
    >

    And to have some open sourced Python code, which does exactly that, is what
    I'd be happy with..

    >
    > Doing HTTP authentication yourself with CGI has problems. Primarily, that
    > Apache doesn't pass the Authorization header to your scripts (unless you
    > recompile it with the SECURITY_HOLE_PASS_AUTHORIZATION switch). With IIS
    > you also have to be sure to turn all auth features off (anon access only)
    > and remove the default error page for 403, or auth won't work.
    >

    Uh, that's valuable input, thanx for telling me. So it seems the
    administering script itself cannot be protected that way..

    > > Either HTTP basic authentication or cookie based authentication would

    do.
    >
    > If you can only do standard-CGI, without proper config access to the

    server,
    > cookie-based auth is probably your easiest solution, yes.
    >

    Er, I'd be happy as well with some code which does this...

    I really don't feeeeeeeeeeeeel like coding (and testing) this authentication
    part at all, I'd just want to throw in some pre-made thinggy. ;)

    Thanx a lot,
    Miklós


    --
    Prisznyák Miklós
    ---
    Jegenye 2001 Bt. ( mailto: )
    Egyedi szoftverkészítés, tanácsadás
    Custom software development, consulting
    http://jegenye2001.parkhosting.com
     
    Jegenye 2001 Bt, Oct 14, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. g
    Replies:
    69
    Views:
    2,207
    Oliver Wong
    Apr 25, 2006
  2. wadewebsites

    Password protection/membership system

    wadewebsites, Nov 4, 2008, in forum: HTML
    Replies:
    2
    Views:
    437
    richard
    Nov 5, 2008
  3. AAaron123
    Replies:
    2
    Views:
    2,214
    AAaron123
    Jan 16, 2009
  4. AAaron123
    Replies:
    1
    Views:
    1,362
    Oriane
    Jan 16, 2009
  5. chris
    Replies:
    2
    Views:
    132
    kaeli
    Nov 10, 2003
Loading...

Share This Page