Hi Terry, > Stephen wrote: > > I think Ralph meant in the link he sent, which had the code from the > > Flask codebase for its version of HTTPBasicAuth. For basic auth it’s > > usually much simpler to use an .htaccess file, or with nginx the > > equivalent. > > Oh. OK. I understand that is the code the Flask method and not the > code for the Flask Development Server, but surely it's the server that > sets the cookie? > > As you can see, I have little idea how these things work.
A browser sends an HTTP request and amongst the headers are zero or more Cookie ones for any cookies the browser had stored for the server's domain name. The web server passes those Cookie headers on to your code which is handling the request. https://flask.palletsprojects.com/en/1.1.x/quickstart/#cookies says To access cookies you can use the cookies attribute. When sending the reply from your code, through the web server, and back to the browser you may choose to set one or more cookies with the Set-Cookie header. These may be new cookies or existing ones. That Flask link again: To set cookies you can use the set_cookie method of response objects. But you're using HTTP Basic Authentication. https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication This doesn't use cookies. Instead, there is a WWW-Authenticate header from the server and a Authorization one from the browser. The implementation of those two can be done by the web server or your code. If the web server and it decides access is denied then your code never gets called. This is the ‘basic auth’ using .htaccess which Stephen mentions above and further explained at that mozilla.org page. The browser sees the challenge by the web server and puts up its own login-prompt box for username and password. If you want a nice web page for login then your code implements the test instead which is where your existing use of HTTPBasicAuth() from flask-HTTPAuth comes in. Either way, cookies aren't part of the mechanism, even if they may be present for other reasons which explains why clearing cookies didn't have a matching effect. Rewinding some months... - What's the website? - Does the whole site require authentication? - Are the users who need to authenticate a handful so they can be educated in responding to the browser's login prompt? - Do the users share devices provided at the site? - How long should a ‘login’ last? -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2021-02-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
