Gentoo Archives: gentoo-user

From: James <jtp@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] [ot] python + http authentication (with cherrypy)
Date: Tue, 08 Jul 2008 01:15:35
Message-Id: e107b4ff0807071815h4e6a1017x96a54fa62845e21b@mail.gmail.com
1 Hi All,
2
3 I'm writing a web application in CherryPy. What a beautiful thing it
4 is to write Python code and get a simple yet powerful web output. :)
5
6 The web application needs to have some decent level of security and
7 authentication implemented.
8
9 The big issue here is that the user password is stored in a database
10 and algorithmically calculated as follows:
11 md5( md5( $password ) + salt ) )
12
13 The salt is also stored in the database (which I have full access to).
14 I can easily use the md5 library to compare what a user gives me and
15 see if that's the correct password (based on the salt and the stored
16 password in the database). I'm unsure, however, how to go about
17 implementing security into my web application.
18
19 CherryPy obviously has a 'session' library in it. But in the periods
20 of time I've researched writing web applications in the past
21 (primarily when dealing with PHP), there was always great debate in
22 how to write a "good" secure web application. (i.e., it becomes tricky
23 when determining what precisely you should be passing around in terms
24 of session variables).
25
26 Thoughts? Am I going about this the wrong way? It would be much easier
27 to use either digest or basic http authentication mechanisms, but I
28 don't think that this is possible because of the fact that the
29 password is double-hashed in the database (or am I wrong?).
30
31 Any help appreciated. :o)
32
33 -j
34 --
35 gentoo-user@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-user] [ot] python + http authentication (with cherrypy) Anielkis Herrera Gonzalez <aherrerag@×××.cu>