authentication project

Re: authentication project

On 7 Aug 2005 10:48:50 -0700, "jayt33" <jayt33@gmail.c om> declaimed the
following in comp.lang.pytho n:
[color=blue]
> im working on a project that involves creating a back end solution to
> authenticate and manage user
>
> accounts for a website. im new to python and am looking for some good
> references that can help me
>[/color]
While you do specify "back-end", I'm not clear enough on how
this will be invoked... CGI, mod_python, Zope/Plone (though that set
already has authentication out of the box), CherryPy...

Who is responsible for the Web interface to the user? The login
screen, session cookies (going to be needed to identify a user a
logged-in as they go from page to page).

Or are you just a small module that some other existing
web-application will make use of, where that application handles all
user interface and session management. Who handles session time-out, you
or the application? Who handles the confirmation link handling? {you'll
notice I'm making reference to thing below}
[color=blue]
> with this task.
>
> the requirements for the project are as follows:
>
> A new user can register with their email address and password of their
> choice. Upon registration, a
>
> confirmation email shall be sent which contains a link that needs to be
> clicked on within a fixed
>[/color]
I hope your web interface is using encrypted sessions for the
password, though you shouldn't be storing the password in the database
anyway -- store some one-way hash of it.

Your master is probably going to have to invoke something like:

if not accountmanager. create(user, password):
# return message that the account could not be entered
# maybe the user is already in the database

accountmanager. create() will have to:
1 check for the existence of the user in the data and
reject the request if found
2 hash the password, store the user id, password, and time stamp
into the database (along with some record id for the email link
and a flag for UNCONFIRMED)
3 format a confirmation request email and send it out

The master, when the email link is clicked, will have to do
something of:

if not accountmanager. confirm(unique_ link_id):
# return message that the account could not be
# confirmed -- perhaps too much time, or bogus
# link ID, or already confirmed

accountmanager. confirm() does
1 retrieve record with specified ID, rejecting if the ID is not
found
2 compare confirmation time with creation time stamp and
reject if too much time has passed. Maybe delete the
user record from the database (so the id can be reused
on a new registration attempt)
3 compare status flag and reject if already confirmed
4 accept confirmation and update status flag to CONFIRMED
and set the account to UNLOCKED


The master, on a normal page request will check for a valid
session cookie; if found, it goes on -- otherwise it puts up the login
page and...

status = accountmanager. login(user, password)
if status == INCORRECT:
# return message about incorrect user/password
# DO NOT be particular, you don't want to tell someone
# that a password is incorrect for a valid user id, or
# that a user id is unknown
elif status == LOCKED:
# return message about locked account
else:
# set time limited session cookie

accountmanager. login() needs to do:
1 retrieve record for user; if no such user reject as INCORRECT
2 compare hashed password to saved hash; if no match,
reject as INCORRECT (ONLY AFTER COMPUTING LOCKED
STATE). Check "time of last login attempt" -- if
this attempt is > whatever the attempt period is, save this
time as the "time of last login attempt" and save Tries = 1. If
this attempt time is < time of last + attempt period, save Tries
Tries + 1. If Tries > limit, save and return status as LOCKED.
3 save time as time of last login attempt, optionally return Tries
so master can produce a "there were x failed login attempts
since your last successful login", return SUCCESS

--[color=blue]
> =============== =============== =============== =============== == <
> wlfraed@ix.netc om.com | Wulfraed Dennis Lee Bieber KD6MOG <
> wulfraed@dm.net | Bestiaria Support Staff <
> =============== =============== =============== =============== == <
> Home Page: <http://www.dm.net/~wulfraed/> <
> Overflow Page: <http://wlfraed.home.ne tcom.com/> <[/color]

Re: authentication project

Hi,

for some of the "ground work" you could use the Python Web Modules
(www.pythonweb.org).

fs