Quoth Bahadir Balban at 12/30/2006 08:16 AM... > For example, how could I serve content based on username, how could I > send passwords in encrypted form? How could I make use of signed > cookies, maintain a session with the same user, etc. Any books to > cover such web development recipes using apache? Preferably using > mod_python?
All you need to do is to maintain state, either by using cookies (easiest) or by getting your software to maintain persistent variables through the query string (messy). As this is the modssl list, I am assuming that you are doing this through an SSL connection. Passwords, therefore, would be encrypted along with the rest of the data. So, you send the encrypted user name and password and - if OK - set a cookie that contains the user name and a hash (MD5,SHA1,etc) of the user name and a secret string provided by the server. (Or just the user name and a hash of the user name and password that can be checked every time you change page.) You would need to either a) know that your clients can all accept cookies, such as in an intranet situation, b) have a fall-back mechanism to work when cookies are not available or c) disclaim that your system will not work without cookies. You may be able to get away with this, but check up on your local accessibility laws (if any). One thing to always bear in mind is that - except in an intranet situation - you cannot assume anything of the user agent. If you do anything clever using JavaScript, say to create a name/password hash client-side, always provide a means of fallback in case the method (JavaScript, etc), is not available. So, you don't really need to involve Apache in the equation, as your scripted solution (mod_python, etc) can take care of this. PHP is rather clever in this respect in that it can look after session variables [to preserve state] for you. I have written similar mechanisms in Perl, but prefer the PHP solution as it is easier. At the end of the day, personally, I use basic authentication + SSL for all my applications. The only disadvantage is the restriction of one SSL virtual host per IP address/port. Hope this gives you some ideas. Cheers M -- Matthew Smith IT Consultancy & Web Application Development Business: http://www.kbc.net.au/ Personal: http://www.smiffysplace.com/ LinkedIn: http://www.linkedin.com/in/smiffy ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
