[Tutor] python + http authentication (with cherrypy)

Kent Johnson kent37 at tds.net
Tue Jul 8 03:54:13 CEST 2008

On Mon, Jul 7, 2008 at 9:10 PM, James <jtp at nc.rr.com> wrote:
> Hi All,
> I'm writing a web application in CherryPy. What a beautiful thing it
> is to write Python code and get a simple yet powerful web output. :)
> The web application needs to have some decent level of security and
> authentication implemented.
> The big issue here is that the user password is stored in a database
> and algorithmically calculated as follows:
> md5( md5( $password ) + salt ) )

> CherryPy obviously has a 'session' library in it. But in the periods
> of time I've researched writing web applications in the past
> (primarily when dealing with PHP), there was always great debate in
> how to write a "good" secure web application. (i.e., it becomes tricky
> when determining what precisely you should be passing around in terms
> of session variables).

A typical usage is to have a session cookie that is a key into some
kind of server storage, e.g. a database table. The cookie itself
doesn't contain any information.

You might want to look at TurboGears, it uses CherryPy so it might not
be too hard  to migrate your code, and it includes an identity
subsystem that supports user-written authentication backends. See for


More information about the Tutor mailing list