[Tutor] mod_python authentication

[Marc]

> On Mo, 2009-12-07 at 09:35 -0400, Rayon wrote:
> > How do I Check for an active login session on every page that
> requires
> > authentication
> >
> To understand sessions you first need to understand that HTTP is a
> stateless protocol: you connect, send your request, receive a response
> and the connection is closed.
> 
> There are several ways to accomplish this. The most straightforward way
> would be remembering the client's IP 
> Another method is putting the session's ID in the URLs you display to
> your users. 
> The most common and reliable choice is the good old session cookie

While I agree with the cookie (as long as it has a short expiration),
another way to do this is by using expiring tokenization (credentials + some
unique data for the transaction) in the URL header (see section 14.8 at
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).  Tokenization
substitutes some random string for confidential data (such as credentials).
The payment card industry uses this in the form of an authorization code for
card transactions.  Add to the data represented by the token some unique
data (maybe a random number or some data from the last transaction - it
doesn't matter as the token does not expose the data in any way) for each
http transaction so you have unique token in each header and you can get an
essentially stateful session with a method of checking authentication that
has some spoof protection built in.  Wrap it all in SSL/TLS and then you've
got something.  Granted, this requires some serious server side work, and is
probably not a good beginner exercise, but if this level is what you
need....  I have never coded anything like this in Python, but I can see
abstractly how it could be done (I'm a novice with Python). If you're bored,
you can read http://www.shift4.com/pdf/TokenizationWhitePaper.pdf especially
sec1:7.  Ok, Ok, I'll shut up now - I've got to go play with some XML
anyhow...Thanks for listening.