Hi. I want to implement authentication with web.py. Everything will be done over SSL.
I see the process as this: User inputs Login and Password. They are sent to web.py. It md5-hashes the password and checks it against md5-hashed password for the login in DB. If they are equal, it sets user cookie ID variable to, e.g., "1". This "1" is a session ID. This "1" is also put into DB table of active sessions and is assigned an expiry date of, say, 1 hour. User then interacts using this session ID. After half an hour passed web.py gives user new session ID and replaces the old one in DB and cookie. This way, if user is active within half an hour, he gets his session ID re-newed and his cookie won't allow anyone to crack him. Is this reasonable or is this stupid? May be I should use some already-made solution? How do I make it really safe? -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
