[EMAIL PROTECTED] wrote: > I have an apache 1.3.29 server that is running my website. I have > written a bunch of scripts to generate the pages from csv files which > work great. > > My next thing to learn is how to get user authentication functioning > the way I need it. > > I understand the steps required to make .htpaccess files work, but
that's ".htaccess", but you probably knew that. > this won't be enough for my purposes. I want the site to remember that > a visitor has logged in or not, and also to read a bunch of personal > info from a csv file dedicated to the userbase. (A later project will > be to convert my csv files into databases, but I am into baby steps at > the moment, so just focussing on python webiste authentication) > > Ideally I would like this authentication to not be in the form of a > popup, but rather via a username/password pair of fields at some place > on the page. After authentication, this should be reaplced by some > generic "have a nice day" kinda message, or perhaps simply removed > altogether. Additionally, they will be able to alter their personal > information and doing stuff like filling in the feedback form should > mean that they don't have to enter any personal info, just fill in the > details and click the send buttopn. My experience with .htaccess files > is that they make an authentication popup, which is not what I am > aiming at. > > How can I incorporate this sort of user info in the apache > authentication stuff using python? > In other words you want the application to authenticate the user rather than use any of the HTTP authentication schemes. This entails maintaining "session state", usually referenced by a cookie, and having each page that requires authentication check that the user's session state indicates login has already been achieved (and hasn't been timed out). Alternatively they can verify by program that the browser has presented correct authorization credentials, but there seem little advantage to doing this since the server can do it for you, and it still involved the browser pop-up you want to get rid of. It also means that your authenticated pages must all be programmed pages (no static content like HTML or plain text). Since HTTP authentication is managed by the browser it's difficult to integrate it with web application authentication: basically you have to choose between the two. There's no way for the server to tell the browser to start presenting the required authentication credentials except by raising a 401 (not authorised) error response, which is what makes the browser bring up its little popup. I could write a book about this stuff ... regards Steve -- Steve Holden +44 150 684 7255 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Love me, love my blog http://holdenweb.blogspot.com Recent Ramblings http://del.icio.us/steve.holden -- http://mail.python.org/mailman/listinfo/python-list
