Re: [newbie]apache authentication questions
[EMAIL PROTECTED] wrote: Steve Holden wrote: [EMAIL PROTECTED] wrote: Since HTTP authentication is managed by the browser it's difficult to integrate it with web application authentication: basically you have to choose between the two. There's no way for the server to tell the browser to start presenting the required authentication credentials except by raising a 401 (not authorised) error response, which is what makes the browser bring up its little popup. It is not impossible though and in cases where you don't have a choice but to use a HTTP authentication scheme, use of AJAX may be the answer to still allowing use of a form based login scheme. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html That's neat! regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Love me, love my blog http://holdenweb.blogspot.com Recent Ramblings http://del.icio.us/steve.holden -- http://mail.python.org/mailman/listinfo/python-list
Re: [newbie]apache authentication questions
Steve Holden wrote: [EMAIL PROTECTED] wrote: It is not impossible though and in cases where you don't have a choice but to use a HTTP authentication scheme, use of AJAX may be the answer to still allowing use of a form based login scheme. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html That's neat! IMHO this makes things more complicated and error-prone. And it requires Javascript. I also can't see why this is more secure than a proper session management (using cookies or URL for passing the session ticket around). Ciao, Michael. -- http://mail.python.org/mailman/listinfo/python-list
Re: [newbie]apache authentication questions
Michael Ströder wrote: Steve Holden wrote: [EMAIL PROTECTED] wrote: It is not impossible though and in cases where you don't have a choice but to use a HTTP authentication scheme, use of AJAX may be the answer to still allowing use of a form based login scheme. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html That's neat! IMHO this makes things more complicated and error-prone. And it requires Javascript. I also can't see why this is more secure than a proper session management (using cookies or URL for passing the session ticket around). I don't believe I said it *was* any of those things. But I am constantly amazed at the lengths the world will go to just to prove me wrong! regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Love me, love my blog http://holdenweb.blogspot.com Recent Ramblings http://del.icio.us/steve.holden -- http://mail.python.org/mailman/listinfo/python-list
[newbie]apache authentication questions
I have an apache 1.3.29 server that is running my website. I have written a bunch of scripts to generate the pages from csv files which work great. My next thing to learn is how to get user authentication functioning the way I need it. I understand the steps required to make .htpaccess files work, but this won't be enough for my purposes. I want the site to remember that a visitor has logged in or not, and also to read a bunch of personal info from a csv file dedicated to the userbase. (A later project will be to convert my csv files into databases, but I am into baby steps at the moment, so just focussing on python webiste authentication) Ideally I would like this authentication to not be in the form of a popup, but rather via a username/password pair of fields at some place on the page. After authentication, this should be reaplced by some generic have a nice day kinda message, or perhaps simply removed altogether. Additionally, they will be able to alter their personal information and doing stuff like filling in the feedback form should mean that they don't have to enter any personal info, just fill in the details and click the send buttopn. My experience with .htaccess files is that they make an authentication popup, which is not what I am aiming at. How can I incorporate this sort of user info in the apache authentication stuff using python? TIA! Nuffnnough. -- http://mail.python.org/mailman/listinfo/python-list
Re: [newbie]apache authentication questions
[EMAIL PROTECTED] wrote: I have an apache 1.3.29 server that is running my website. I have written a bunch of scripts to generate the pages from csv files which work great. My next thing to learn is how to get user authentication functioning the way I need it. I understand the steps required to make .htpaccess files work, but that's .htaccess, but you probably knew that. this won't be enough for my purposes. I want the site to remember that a visitor has logged in or not, and also to read a bunch of personal info from a csv file dedicated to the userbase. (A later project will be to convert my csv files into databases, but I am into baby steps at the moment, so just focussing on python webiste authentication) Ideally I would like this authentication to not be in the form of a popup, but rather via a username/password pair of fields at some place on the page. After authentication, this should be reaplced by some generic have a nice day kinda message, or perhaps simply removed altogether. Additionally, they will be able to alter their personal information and doing stuff like filling in the feedback form should mean that they don't have to enter any personal info, just fill in the details and click the send buttopn. My experience with .htaccess files is that they make an authentication popup, which is not what I am aiming at. How can I incorporate this sort of user info in the apache authentication stuff using python? In other words you want the application to authenticate the user rather than use any of the HTTP authentication schemes. This entails maintaining session state, usually referenced by a cookie, and having each page that requires authentication check that the user's session state indicates login has already been achieved (and hasn't been timed out). Alternatively they can verify by program that the browser has presented correct authorization credentials, but there seem little advantage to doing this since the server can do it for you, and it still involved the browser pop-up you want to get rid of. It also means that your authenticated pages must all be programmed pages (no static content like HTML or plain text). Since HTTP authentication is managed by the browser it's difficult to integrate it with web application authentication: basically you have to choose between the two. There's no way for the server to tell the browser to start presenting the required authentication credentials except by raising a 401 (not authorised) error response, which is what makes the browser bring up its little popup. I could write a book about this stuff ... regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Love me, love my blog http://holdenweb.blogspot.com Recent Ramblings http://del.icio.us/steve.holden -- http://mail.python.org/mailman/listinfo/python-list
Re: [newbie]apache authentication questions
Steve Holden wrote: [EMAIL PROTECTED] wrote: Since HTTP authentication is managed by the browser it's difficult to integrate it with web application authentication: basically you have to choose between the two. There's no way for the server to tell the browser to start presenting the required authentication credentials except by raising a 401 (not authorised) error response, which is what makes the browser bring up its little popup. It is not impossible though and in cases where you don't have a choice but to use a HTTP authentication scheme, use of AJAX may be the answer to still allowing use of a form based login scheme. See: http://www.peej.co.uk/articles/http-auth-with-html-forms.html Graham -- http://mail.python.org/mailman/listinfo/python-list