Home Original page

Password protection system for web app

Andrew Clover and-google at doxdesk.com
Tue Oct 14 15:10:56 EDT 2003 
"Jegenye 2001 Bt" <jegenye2001 at fw.hu> wrote:

> Could someone please suggest a very lightweight solution for protecting
> directories on a web server? (membership system)

Depends on what the web server is, and how it's set up. The obvious
solution for Apache is to put mod_auth stuff in .htaccess. You can then
let Apache do both the authentication and the directory browsing.

> An administrator, after logging in via the web, should have the ability to
> add/remove users who then could access their own password protected
> directories only with their browsers.

This can be done either by having the CGIs update the .htpasswd file
directly, or with a database password backend like mod_auth_mysql.

> I know this could be easily done with Zope (I know that) and probably with
> many other fully blown web application servers like Webware, etc.  of which
> there are many. But now all I need  some CGI hacks

Doing HTTP authentication yourself with CGI has problems. Primarily, that
Apache doesn't pass the Authorization header to your scripts (unless you
recompile it with the SECURITY_HOLE_PASS_AUTHORIZATION switch). With IIS
you also have to be sure to turn all auth features off (anon access only)
and remove the default error page for 403, or auth won't work.

> Either HTTP basic authentication or cookie based authentication would do.

If you can only do standard-CGI, without proper config access to the server,
cookie-based auth is probably your easiest solution, yes. 

-- 
Andrew Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
More information about the Python-list mailing list