[Tutor] do you know how to do this

Danny Yoo dyoo at hkn.eecs.berkeley.edu
Fri Oct 13 03:24:36 CEST 2006 

> a login page that takes a username and password, checks it against a 
> database, and then sets a cookie of (hash(secret,user, time),user,time).

Hi Anil,

Ok, separate the concerns about where the inputs are coming from.  It will 
seem weird, but just for the moment, forget completely about the web, and 
just concentrate on the inputs and outputs of this subproblem.


It sounds like you're trying to generate a string value, given a user name 
and value.  Conceptually, you can treat this as a simple function:

     def generate_login_cookie(username, password):
         """generate_login_cookie: string string -> string
         Creates a new login cookie that can be used to log in again."""
         ## fill me in.

This might not quite be right yet, but we're still looking at this from a 
high level.



> Then there's a function that checks the cookie and returns the user 
> object if the hashes match.

Ok, furthermore, it sounds like you want a function that takes a cookie 
string value and returns a User object if the hashes match.  Just for 
discussion's sake, let's call this login_with_cookie().

     def login_with_cookie(cookie_value):
         """login_with_cookie: string -> User, or None
         Given a string value generated with generate_login_cookie(),
         returns the associated user.  Otherwise, returns None."""
         ## fill me in

I have no idea what a User object is supposed to be, but I'll assume for 
the moment that this function is going to satisfy the following pseudocode 
requirement:

     if sometime in the past:

         c = generate_login_cookie(username, password):

     then:

         u = login_with_cookie(c)
         assert (u.username == username)

     should hold.  Furthermore, on any other arbitrary string s that hasn't
     been generated with generate_login_cookie(), we'd like to know that:

         assert (login_with_cookie(s) == None)

     because otherwise the login system would suck.  *grin*


We also know that generate_login_cookie() and login_with_cookie() must 
cooperate in some way that is persistent across time.  That's where your 
database is going to come into play: a database is going to be your 
persistent state.

I would recommend concentrating on getting those two functions working, 
because they have the nice property that you can actually code these out 
without having to go doing web-ish things.  More importantly, you should 
be able to unit-test something like this with ease.  (And you'd better 
test, considering how important login and authentication are!)


The part dealing with the web itself can be considered orthogonal.  If you 
get generate_login_cookie() and login_with_cookie() working ok, then your 
problem reduces down to: "How do I set a cookie in my web application?", 
and "How do I read a cookie from the user's request?" because you can use 
the above functions as helpers.  Then you have a much simpler problem on 
your hands.

The main difficulty that I think you're hitting is that you seem to try to 
juggle all your requirements at the same time.  So the main recommendation 
I can give is: decompose your problem.  Try not to solve it in one gulp: 
most problems are too big to handle all at once.

More information about the Tutor mailing list