On Sun, 2009-06-28 at 18:46 +0100, Ken Corey wrote: > Branko Vukelic wrote: > > I'll read this through 2 or 10 times. I'm so new to this topic I don't > > understand what you wrote all that well. Please give me some time. :P > > > Sorry, my description is probably out to lunch. I know what I meant, > but the explanation may not make much sense.
I've gone over the code again, and it's a bit clearer. However, I guess I'm more interested in actual storage and encryption of the passwords at this moment. I'm not too keen on reinventing the wheel here, because... well, you know, so many things that can go wrong. Any idea where I could find good libraries for handling passwords and similar things? I'm also thinking about picking apart the Django's auth system, and adapt it for my app (or at least learn a thing or two about the right way to do things). > > What I'm most interested in is how do I encrypt passwords and usernames, > > how do I store them (e.g., do I store hash(uname+loging+salt+whatever?) > > or just the pw) in the DB, and finally how to track the user's status. > > The last bit I've some vague idea about. It's not unimaginable I'd be > > using sessions to store the logged-in status, and clear that when user > > logs out, etc... > > > Tracking the status through sessions is convenient, and darn-near > invisible. I love it. > > Since the site I'm working on is still in development, I haven't put > encryption of passwords in (frankly, I don't even have an email-based > 'forgot-my-password' functionality yet). I'll likely be putting > encryption in soon though, since it all just seems to work right now. My buddy (security specialist) gave me this link to read, when I asked about encryption: http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/ :) > > >From what I've seen on the web, and perhaps your example is somewhat > > like it, most folks do page-based authentication. I would also like to > > decouple that from the GET and POST methods, and check for > > authentication in templates. Sort of like unlocking parts of the page. > > For example, I have a blog. On the index page of the blog, I also list > > unpublished posts. So, if I'm authenticated, I get access to those, > > otherwise, I only get a login link. > > > > Hope I'm making sense at least a little bit. :) > > > Yep, perfect sense. > > The templates are quite powerful. In the example I gave, I'm passing > strings that are simply shoved into the outgoing page. That's not all > you can do with the strings. You /could/ embed if/then logic into your > web pages which would work the way you're describing. > > (From http://webpy.org/tutorial3.en): > ----------------in your template---------------------- > $def with (name) > > $if name: > I just wanted to say <em>hello</em> to $name. > $else: > <em>Hello</em>, world! > ----------------in your template---------------------- > > Substitute 'logged_in' in place of 'name', and you'll see what I'm > getting at. > > Now, the next question in my mind is 'Do you want to?' For me, I'd have > to say no, because you'd have to have login handling code on every page > of your web site where being logged in is relevant. If you choose to > change how that happens, now you're re-writing that for every page > rather than only having to deal with it on its own. > > You'll notice in my last email, I tuck away the page I tried to go to, > and then send the user to the login page. At the end of successful > login, I send the user to the page they originally intended. Also, the > login handling happens just in one place, so if it changes I'm not > updating all the pages on my site. My app is a blogging engine, so I only login when I need to. The idea was for the whole site to act like a wiki-like thingy, so I unlock functionality by logging in. Therefore, no page is inherently locked as a whole. I only unlock parts that have to do with editing. That's why I don't need to redirect. But yes, I can imagine at least a dozen situation where such approach is necessary, and will probably be doing something similar soonish. And yes, you are making a lot of sense. ;) Thanks again. Best regards, -- Branko eml: [email protected] alt: [email protected] blg1: http://sudologic.blogspot.com/ blg2: http://brankovukelic.blogspot.com/ img: http://picasaweb.google.com/bg.branko twt: http://www.twitter.com/foxbunny/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
