I've always found security to be a bit of a conundrum. I'm working on a web application that requires some reasonable level of security. The passwords are stored as a double-md5-hashed value in a database. I don't have any issues "getting" the password out of the database, but am curious as to the best method for creating and enforcing user sessions when working on webapps. I remember reading many years ago when studying PHP that setting sessions when working with web applications is important: you shouldn't set the password in the session, but setting the username only may result in weak security.
Does anyone have any opinions on the best way to attack security in a CherryPy web application?
> I've always found security to be a bit of a conundrum. I'm working on
> a web application that requires some reasonable level of security. The
> passwords are stored as a double-md5-hashed value in a database. I
> don't have any issues "getting" the password out of the database, but
> am curious as to the best method for creating and enforcing user
> sessions when working on webapps. I remember reading many years ago
> when studying PHP that setting sessions when working with web
> applications is important: you shouldn't set the password in the
> session, but setting the username only may result in weak security.
> Does anyone have any opinions on the best way to attack security in a
> CherryPy web application?
> Thanks!
> -j
I've written an extended version of the Digest Auth tool which may
help if your app is designed on RESTful lines. Though your mention of
sessions implies that may not be the case. It should be possible to
hook it into CherryPy's Sessions tool if you really can't avoid
sessions.
The tool uses expiring nonces to allow things like logout, forcible
logout after a set time, one-time access (ie force re-authentication
on every access), access control depending on the HTTP method, and a
simple role based authorisation scheme.
It's subject to most of the limitations of Digest Authentication,
except that replay attacks are limited by the nonce expiration
mechanism.
All the other attack possiblities are mitigated by using SSL, which
you will be in any case if you want any sort of security.
If I could work out how to add a new page to the Wiki I would - but it
doesn't seem to be possible to edit the Tools List page where the link
should go.
I can add a link to the Start page, but that's no use. How is it
supposed to be done?
Pete H wrote: > If I could work out how to add a new page to the Wiki I would - but it > doesn't seem to be possible to edit the Tools List page where the link > should go. > I can add a link to the Start page, but that's no use. How is it > supposed to be done?
On Jul 8, 5:31 pm, "Robert Brewer" <fuman...@aminus.org> wrote:
> Pete H wrote:
> > If I could work out how to add a new page to the Wiki I would - but it
> > doesn't seem to be possible to edit the Tools List page where the link
> > should go.
> > I can add a link to the Start page, but that's no use. How is it
> > supposed to be done?
So _that's_ what it means in the 'Steps to Add a New Wiki Page' item 3
in the Wiki Help.
<quote>
1. Choose a name for your new page. See WikiPageNames for naming
conventions.
2. Edit an existing page and add a hyperlink to your new page. Save
your changes.
3. Follow the link you created to take you to the new page. Trac
will display a "describe PageName here" message.
4. Click the "Edit this page" button to edit and add content to
your new page. Save your changes.
5. All done. Your new page is published.
</quote>
Seems step 2, which is where I got stuck, is irrelevant.
Wow! Sounds like you went all out on your code. :)
How hard is it to create a basic authentication scheme? I'm certainly not a security guru and I'm aware that making one mistake could result in a security hole. Some folks have indicated to me (privately) that I should simply create a form, get the returned variables and then compare the password to the database. If everything checks out I can simply create a session and proceed with letting the user in to the private sites.
>> I've always found security to be a bit of a conundrum. I'm working on >> a web application that requires some reasonable level of security. The >> passwords are stored as a double-md5-hashed value in a database. I >> don't have any issues "getting" the password out of the database, but >> am curious as to the best method for creating and enforcing user >> sessions when working on webapps. I remember reading many years ago >> when studying PHP that setting sessions when working with web >> applications is important: you shouldn't set the password in the >> session, but setting the username only may result in weak security.
>> Does anyone have any opinions on the best way to attack security in a >> CherryPy web application?
>> Thanks! >> -j
> I've written an extended version of the Digest Auth tool which may > help if your app is designed on RESTful lines. Though your mention of > sessions implies that may not be the case. It should be possible to > hook it into CherryPy's Sessions tool if you really can't avoid > sessions.
> The tool uses expiring nonces to allow things like logout, forcible > logout after a set time, one-time access (ie force re-authentication > on every access), access control depending on the HTTP method, and a > simple role based authorisation scheme.
> It's subject to most of the limitations of Digest Authentication, > except that replay attacks are limited by the nonce expiration > mechanism. > All the other attack possiblities are mitigated by using SSL, which > you will be in any case if you want any sort of security.
> If I could work out how to add a new page to the Wiki I would - but it > doesn't seem to be possible to edit the Tools List page where the link > should go. > I can add a link to the Start page, but that's no use. How is it > supposed to be done?
Hi James, Couple of years ago I had created a simple authentication. I am now looking to put the 'right' authentication from a security, simplicity and elegance point of view...Maybe we could share ideas, code and research to get a good authentication system up on our websites, as we go along. This could also help with the problem solving...
> Wow! Sounds like you went all out on your code. :)
> How hard is it to create a basic authentication scheme? I'm certainly > not a security guru and I'm aware that making one mistake could result > in a security hole. Some folks have indicated to me (privately) that I > should simply create a form, get the returned variables and then > compare the password to the database. If everything checks out I can > simply create a session and proceed with letting the user in to the > private sites.
> Thoughts? > -j
> On Tue, Jul 8, 2008 at 5:47 AM, Pete H <pe...@ssbg.zetnet.co.uk> wrote:
> > On Jul 8, 12:37 am, James <j...@nc.rr.com> wrote: > >> All,
> >> I'm trying to set up an authentication scheme in my CherryPy webapp. > >> I've seen both simple and complex snippets of code in the Wiki, such > >> as:
> >> I've always found security to be a bit of a conundrum. I'm working on > >> a web application that requires some reasonable level of security. The > >> passwords are stored as a double-md5-hashed value in a database. I > >> don't have any issues "getting" the password out of the database, but > >> am curious as to the best method for creating and enforcing user > >> sessions when working on webapps. I remember reading many years ago > >> when studying PHP that setting sessions when working with web > >> applications is important: you shouldn't set the password in the > >> session, but setting the username only may result in weak security.
> >> Does anyone have any opinions on the best way to attack security in a > >> CherryPy web application?
> >> Thanks! > >> -j
> > I've written an extended version of the Digest Auth tool which may > > help if your app is designed on RESTful lines. Though your mention of > > sessions implies that may not be the case. It should be possible to > > hook it into CherryPy's Sessions tool if you really can't avoid > > sessions.
> > The tool uses expiring nonces to allow things like logout, forcible > > logout after a set time, one-time access (ie force re-authentication > > on every access), access control depending on the HTTP method, and a > > simple role based authorisation scheme.
> > It's subject to most of the limitations of Digest Authentication, > > except that replay attacks are limited by the nonce expiration > > mechanism. > > All the other attack possiblities are mitigated by using SSL, which > > you will be in any case if you want any sort of security.
> > If I could work out how to add a new page to the Wiki I would - but it > > doesn't seem to be possible to edit the Tools List page where the link > > should go. > > I can add a link to the Start page, but that's no use. How is it > > supposed to be done?
Given the slew of options available for user authentication, what is the best way to go? I am looking for a standard secure login where logged in users can access a private area...Given the various approaches and code, what are the heavy weights using?
> Hi James, > Couple of years ago I had created a simple authentication. I am now looking > to put the 'right' authentication from a security, simplicity and elegance > point of view...Maybe we could share ideas, code and research to get a good > authentication system up on our websites, as we go along. This could also > help with the problem solving...
>> Wow! Sounds like you went all out on your code. :)
>> How hard is it to create a basic authentication scheme? I'm certainly >> not a security guru and I'm aware that making one mistake could result >> in a security hole. Some folks have indicated to me (privately) that I >> should simply create a form, get the returned variables and then >> compare the password to the database. If everything checks out I can >> simply create a session and proceed with letting the user in to the >> private sites.
>> Thoughts? >> -j
>> On Tue, Jul 8, 2008 at 5:47 AM, Pete H <pe...@ssbg.zetnet.co.uk> wrote:
>> > On Jul 8, 12:37 am, James <j...@nc.rr.com> wrote: >> >> All,
>> >> I'm trying to set up an authentication scheme in my CherryPy webapp. >> >> I've seen both simple and complex snippets of code in the Wiki, such >> >> as:
>> >> I've always found security to be a bit of a conundrum. I'm working on >> >> a web application that requires some reasonable level of security. The >> >> passwords are stored as a double-md5-hashed value in a database. I >> >> don't have any issues "getting" the password out of the database, but >> >> am curious as to the best method for creating and enforcing user >> >> sessions when working on webapps. I remember reading many years ago >> >> when studying PHP that setting sessions when working with web >> >> applications is important: you shouldn't set the password in the >> >> session, but setting the username only may result in weak security.
>> >> Does anyone have any opinions on the best way to attack security in a >> >> CherryPy web application?
>> >> Thanks! >> >> -j
>> > I've written an extended version of the Digest Auth tool which may >> > help if your app is designed on RESTful lines. Though your mention of >> > sessions implies that may not be the case. It should be possible to >> > hook it into CherryPy's Sessions tool if you really can't avoid >> > sessions.
>> > The tool uses expiring nonces to allow things like logout, forcible >> > logout after a set time, one-time access (ie force re-authentication >> > on every access), access control depending on the HTTP method, and a >> > simple role based authorisation scheme.
>> > It's subject to most of the limitations of Digest Authentication, >> > except that replay attacks are limited by the nonce expiration >> > mechanism. >> > All the other attack possiblities are mitigated by using SSL, which >> > you will be in any case if you want any sort of security.
>> > If I could work out how to add a new page to the Wiki I would - but it >> > doesn't seem to be possible to edit the Tools List page where the link >> > should go. >> > I can add a link to the Start page, but that's no use. How is it >> > supposed to be done?
That's one of the things I like about web frameworks like Django and TurboGears; they seem to make it very easy to set up simple authentication so that credentials are required to view certain pages.
I have poured over quite a bit of CherryPy documentation and haven't really found any "great" article on how to write something simple, very secure and straightforward...
On Wed, Jul 9, 2008 at 12:33 AM, arjuna <brahmafor...@gmail.com> wrote: > Hi All,
> Given the slew of options available for user authentication, what is the > best way to go? I am looking for a standard secure login where logged in > users can access a private area...Given the various approaches and code, > what are the heavy weights using?
> On 7/9/08, arjuna <brahmafor...@gmail.com> wrote:
>> Hi James, >> Couple of years ago I had created a simple authentication. I am now >> looking to put the 'right' authentication from a security, simplicity and >> elegance point of view...Maybe we could share ideas, code and research to >> get a good authentication system up on our websites, as we go along. This >> could also help with the problem solving...
>>> Wow! Sounds like you went all out on your code. :)
>>> How hard is it to create a basic authentication scheme? I'm certainly >>> not a security guru and I'm aware that making one mistake could result >>> in a security hole. Some folks have indicated to me (privately) that I >>> should simply create a form, get the returned variables and then >>> compare the password to the database. If everything checks out I can >>> simply create a session and proceed with letting the user in to the >>> private sites.
>>> Thoughts? >>> -j
>>> On Tue, Jul 8, 2008 at 5:47 AM, Pete H <pe...@ssbg.zetnet.co.uk> wrote:
>>> > On Jul 8, 12:37 am, James <j...@nc.rr.com> wrote: >>> >> All,
>>> >> I'm trying to set up an authentication scheme in my CherryPy webapp. >>> >> I've seen both simple and complex snippets of code in the Wiki, such >>> >> as:
>>> >> I've always found security to be a bit of a conundrum. I'm working on >>> >> a web application that requires some reasonable level of security. The >>> >> passwords are stored as a double-md5-hashed value in a database. I >>> >> don't have any issues "getting" the password out of the database, but >>> >> am curious as to the best method for creating and enforcing user >>> >> sessions when working on webapps. I remember reading many years ago >>> >> when studying PHP that setting sessions when working with web >>> >> applications is important: you shouldn't set the password in the >>> >> session, but setting the username only may result in weak security.
>>> >> Does anyone have any opinions on the best way to attack security in a >>> >> CherryPy web application?
>>> >> Thanks! >>> >> -j
>>> > I've written an extended version of the Digest Auth tool which may >>> > help if your app is designed on RESTful lines. Though your mention of >>> > sessions implies that may not be the case. It should be possible to >>> > hook it into CherryPy's Sessions tool if you really can't avoid >>> > sessions.
>>> > The tool uses expiring nonces to allow things like logout, forcible >>> > logout after a set time, one-time access (ie force re-authentication >>> > on every access), access control depending on the HTTP method, and a >>> > simple role based authorisation scheme.
>>> > It's subject to most of the limitations of Digest Authentication, >>> > except that replay attacks are limited by the nonce expiration >>> > mechanism. >>> > All the other attack possiblities are mitigated by using SSL, which >>> > you will be in any case if you want any sort of security.
>>> > If I could work out how to add a new page to the Wiki I would - but it >>> > doesn't seem to be possible to edit the Tools List page where the link >>> > should go. >>> > I can add a link to the Start page, but that's no use. How is it >>> > supposed to be done?
There are some very simple examples. Like if you go to tools in the wiki the following seem quite straightforward:
password protected pages mutiauth
However given the other options I am not sure which is the best or standard way to go. Also I am not sure how secture teh password protected pages code is? It is very simple and straightforward though?
On Wed, Jul 9, 2008 at 3:53 PM, James <j...@nc.rr.com> wrote:
> I would also like to know.
> That's one of the things I like about web frameworks like Django and > TurboGears; they seem to make it very easy to set up simple > authentication so that credentials are required to view certain pages.
> I have poured over quite a bit of CherryPy documentation and haven't > really found any "great" article on how to write something simple, > very secure and straightforward...
> Thoughts?
> On Wed, Jul 9, 2008 at 12:33 AM, arjuna <brahmafor...@gmail.com> wrote: > > Hi All,
> > Given the slew of options available for user authentication, what is the > > best way to go? I am looking for a standard secure login where logged in > > users can access a private area...Given the various approaches and code, > > what are the heavy weights using?
> > On 7/9/08, arjuna <brahmafor...@gmail.com> wrote:
> >> Hi James, > >> Couple of years ago I had created a simple authentication. I am now > >> looking to put the 'right' authentication from a security, simplicity > and > >> elegance point of view...Maybe we could share ideas, code and research > to > >> get a good authentication system up on our websites, as we go along. > This > >> could also help with the problem solving...
> >>> Wow! Sounds like you went all out on your code. :)
> >>> How hard is it to create a basic authentication scheme? I'm certainly > >>> not a security guru and I'm aware that making one mistake could result > >>> in a security hole. Some folks have indicated to me (privately) that I > >>> should simply create a form, get the returned variables and then > >>> compare the password to the database. If everything checks out I can > >>> simply create a session and proceed with letting the user in to the > >>> private sites.
> >>> Thoughts? > >>> -j
> >>> On Tue, Jul 8, 2008 at 5:47 AM, Pete H <pe...@ssbg.zetnet.co.uk> > wrote:
> >>> > On Jul 8, 12:37 am, James <j...@nc.rr.com> wrote: > >>> >> All,
> >>> >> I'm trying to set up an authentication scheme in my CherryPy webapp. > >>> >> I've seen both simple and complex snippets of code in the Wiki, such > >>> >> as:
> >>> >> I've always found security to be a bit of a conundrum. I'm working > on > >>> >> a web application that requires some reasonable level of security. > The > >>> >> passwords are stored as a double-md5-hashed value in a database. I > >>> >> don't have any issues "getting" the password out of the database, > but > >>> >> am curious as to the best method for creating and enforcing user > >>> >> sessions when working on webapps. I remember reading many years ago > >>> >> when studying PHP that setting sessions when working with web > >>> >> applications is important: you shouldn't set the password in the > >>> >> session, but setting the username only may result in weak security.
> >>> >> Does anyone have any opinions on the best way to attack security in > a > >>> >> CherryPy web application?
> >>> >> Thanks! > >>> >> -j
> >>> > I've written an extended version of the Digest Auth tool which may > >>> > help if your app is designed on RESTful lines. Though your mention of > >>> > sessions implies that may not be the case. It should be possible to > >>> > hook it into CherryPy's Sessions tool if you really can't avoid > >>> > sessions.
> >>> > The tool uses expiring nonces to allow things like logout, forcible > >>> > logout after a set time, one-time access (ie force re-authentication > >>> > on every access), access control depending on the HTTP method, and a > >>> > simple role based authorisation scheme.
> >>> > It's subject to most of the limitations of Digest Authentication, > >>> > except that replay attacks are limited by the nonce expiration > >>> > mechanism. > >>> > All the other attack possiblities are mitigated by using SSL, which > >>> > you will be in any case if you want any sort of security.
> >>> > If I could work out how to add a new page to the Wiki I would - but > it > >>> > doesn't seem to be possible to edit the Tools List page where the > link > >>> > should go. > >>> > I can add a link to the Start page, but that's no use. How is it > >>> > supposed to be done?
