Branko Vukelic wrote: > I'll read this through 2 or 10 times. I'm so new to this topic I don't > understand what you wrote all that well. Please give me some time. :P > Sorry, my description is probably out to lunch. I know what I meant, but the explanation may not make much sense. > What I'm most interested in is how do I encrypt passwords and usernames, > how do I store them (e.g., do I store hash(uname+loging+salt+whatever?) > or just the pw) in the DB, and finally how to track the user's status. > The last bit I've some vague idea about. It's not unimaginable I'd be > using sessions to store the logged-in status, and clear that when user > logs out, etc... > Tracking the status through sessions is convenient, and darn-near invisible. I love it.
Since the site I'm working on is still in development, I haven't put encryption of passwords in (frankly, I don't even have an email-based 'forgot-my-password' functionality yet). I'll likely be putting encryption in soon though, since it all just seems to work right now. > >From what I've seen on the web, and perhaps your example is somewhat > like it, most folks do page-based authentication. I would also like to > decouple that from the GET and POST methods, and check for > authentication in templates. Sort of like unlocking parts of the page. > For example, I have a blog. On the index page of the blog, I also list > unpublished posts. So, if I'm authenticated, I get access to those, > otherwise, I only get a login link. > > Hope I'm making sense at least a little bit. :) > Yep, perfect sense. The templates are quite powerful. In the example I gave, I'm passing strings that are simply shoved into the outgoing page. That's not all you can do with the strings. You /could/ embed if/then logic into your web pages which would work the way you're describing. (From http://webpy.org/tutorial3.en): ----------------in your template---------------------- $def with (name) $if name: I just wanted to say <em>hello</em> to $name. $else: <em>Hello</em>, world! ----------------in your template---------------------- Substitute 'logged_in' in place of 'name', and you'll see what I'm getting at. Now, the next question in my mind is 'Do you want to?' For me, I'd have to say no, because you'd have to have login handling code on every page of your web site where being logged in is relevant. If you choose to change how that happens, now you're re-writing that for every page rather than only having to deal with it on its own. You'll notice in my last email, I tuck away the page I tried to go to, and then send the user to the login page. At the end of successful login, I send the user to the page they originally intended. Also, the login handling happens just in one place, so if it changes I'm not updating all the pages on my site. Hope that's clear. -Ken --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
