Can I implement a web user authentication system in python without POST?

My university doesn't support the POST cgi method (I know, it's crazy), and I was hoping to be able to have a system where a user can have a username and password and log in securely. Is this even possible?

If it's not, how would you do it with POST? Just out of curiosity.

Cheers!


Asked by: Roman666 | Posted: 05-10-2021






Answer 1

You can actually do it all with GET methods. However, you'll want to use a full challenge response protocol for the logins. (You can hash on the client side using javascript. You just need to send out a unique challenge each time.) You'll also want to use SSL to ensure that no one can see the strings as they go across.

In some senses there's no real security difference between GET and POST requests as they both go across in plaintext, in other senses and in practice... GET is are a hell of a lot easier to intercept and is all over most people's logs and your web browser's history. :)

(Or as suggested by the other posters, use a different method entirely like HTTP auth, digest auth or some higher level authentication scheme like AD, LDAP, kerberos or shib. However I kinda assumed that if you didn't have POST you wouldn't have these either.)

Answered by: Marcus937 | Posted: 06-11-2021



Answer 2

You could use HTTP Authentication, if supported.

You'd have to add SSL, as all methods, POST, GET and HTTP Auth (well, except Digest HHTP authentication) send plaintext.

GET is basically just like POST, it just has a limit on the amount of data you can send which is usually a lot smaller than POST and a semantic difference which makes GET not a good candidate from that point of view, even if technically they both can do it.

As for examples, what are you using? There are many choices in Python, like the cgi module or some framework like Django, CherryPy, and so on

Answered by: Elise398 | Posted: 06-11-2021



Answer 3

With a bit of JavaScript, you could have the client hash the entered password and a server-generated nonce, and use that in an HTTP GET.

Answered by: John151 | Posted: 06-11-2021



Answer 4

A good choice: HTTP Digest authentication

Harder to pull off well, but an option: Client-side hashing with Javascript

Answered by: Arthur505 | Posted: 06-11-2021



Answer 5

Javascript is the best option in this case.

Along with the request for the username and password, it sends a unique random string. You can then use a javascript md5 library to generate a hashed password, by combining the random string and the password [pwhash = md5(randomstring+password)]. The javascript then instantiates the call to http://SERVER/login.cgi?username=TheUsername&random=RANDOMSTRING&pwhash=0123456789abcdef0123456789abcdef

The server must then do two things: Check if the random string has EVER been used before, and it if has, deny the request. (very important for security)

Lookup the plaintext password for username, and do md5(randomstring+password). If that matches what the user supplied in the URL as a pwhash, then you know it's the user.

The reason you check if the random string has ever been used before is to stop a repeat attack. If somebody is able to see the network traffic or the browser history or logs, then they could simply log in again using the same URL, and it doesn't matter whether they know the original password or not.

I also recommend putting "Pragma: no-cache" and "Cache-Control: no-cache" at the top of the headers returned by the CGI script, just so that the authenticated session is not stored in the browser's or your ISPs web cache.

An even more secure solution would be using proper encryption and Challenge-Response. You tell the server your username, the server sends back a Challenge (some random string encrypted with your password), and you tell the server what the random string was. If you're able to tell the server, then obviously you have the password and are who you say you are! Kerberos does it this way, but quite a lot more carefully to prevent all sorts of attacks.

Answered by: Lucas813 | Posted: 06-11-2021



Answer 6

Logging in securely is very subjective. Full 'security' is not easy to achieve (if at all possible...debatable). However, you can come close.

If POST is not an option, maybe you can use a directory security method such as .htaccess or windows authentication depending on what system you're on.

Both of the above will get you the pop-up window that allows for a username and password to be entered.

To use POST as the method to send the login credentials, you'd just use an HTML form with method="post" and retrieve the information from, say, a PHP or ASP page, using the $_POST['varname'] method in PHP or the request.form("varname") method in ASP. From the PHP or ASP page, as an example, you can do a lookup in a database of users, to see if that username/password combination exists, and if so, redirect them to the appropriate page.

As reference, use http://www.w3schools.com/ASP/showasp.asp?filename=demo_simpleform for the HTML/ASP portion

Answered by: Kevin950 | Posted: 06-11-2021



Similar questions

web services - How do I implement secure authentication using xml-rpc in python?

I have a basic xml-rpc web service service running. What is the simplest way(I'm a newbie) to implement secure authentication? I just need some direction.


How to implement user authentication and sessions with Python

This question already has answers here:


python - How to implement authentication for REST API?

I'm creating a web based service that I want to expose as a REST API so that developers are able to create apps using it. I want developers to be able to create/manage user accounts and authenticate through API. How to handle this? OAuth or something else? I'm using python,flask,mongodb for this.


python - How do you implement token authentication in Flask?

I'm trying to allow users to login to my Flask app using their accounts from a separate web service. I can contact the api of this web service and receive a security token. How do I use this token to authenticate users so that they have access to restricted views? I don't need to save users into my own database. I only want to authenticate them for a session. I believe this can be done using Flask-Security and the ...


Implement AWS authentication to use end user's resources in Python & Django App

I'm working on a project using Python(3.6) and Django(1.10) in which i need to use end user's account resource to make his code deployed on his aws account. I have set up 2 accounts(1 as my app & 2nd as a user's account) and make authentication successful.But when I have passed this auth in another view it throws some errors. Here's what I have tried: From views.py:


python - How to implement authentication in a Panel app

Is there a way to authenticate a Panel app? So that it cannot be directly accessed by it's URL. The Panel serves a Jupyter Notebook and is being run through command line. What I'm trying to achieve is to pass a token in the header of each request to a Panel. Or any other way through which it can be made secured.


python - Xmlsec library to implement Django SAML2 Authentication

I'll use this Django package to integrate SAML2 Authentication into my django APP : https://github.com/fangli/django-saml2-auth. This package requires xmlsec libary, unfortunately i am using windows server where i will install this library. I've tried to install it in windows by following the documentation :...


python - Implement Azure AD authentication using SAML in web app

I have successfully created Azure AD authentication using MSAL in the angular application, after that I passed the token to Django and validated the token from the azure. Now I want to implement the SAML2 in Azure AD authentication. Using this article https://docs.microsoft.com/en-us/azu...


python - Unable to implement Azure Adfs authentication in Django

I have been trying to use the authentication system of azure and for that I have followed the below link https://django-auth-adfs.readthedocs.io/en/latest/azure_ad_config_guide.html but Im kinda of stuck and don't know where the problem lies . I keep...


python - Is there a way to implement authentication in Django that requires an API Key and Secret?

I'm struggling in Django to set up an authentication that uses an API Key and secret. I've tried using the rest_framework_api_key but I don't see a secret offered and the documentation doesn't have very many examples. Does anyone have an example of how you would set this up in Django?


Python Authentication API

I'm looking for a python library that will help me to create an authentication method for a desktop app I'm writing. I have found several method in web framework such as django or turbogears. I just want a kind of username-password association stored into a local file. I can write it by myself, but I'm really it already exists and will be a better solution (I'm not very fluent with encryption).


javascript - Django authentication and Ajax - URLs that require login

I want to add some Ajax-niceness to my Django-coded website. In my Django code, I use the @login_required decorator from django.contrib.auth.decorators to mark which view requires authentication. The default behavior when a not authenticated user clicks it is to redirect him/her to login page, and then pass...


authentication - Authenticating against active directory using python + ldap

How do I authenticate against AD using Python + LDAP. I'm currently using the python-ldap library and all it is producing is tears. I can't even bind to perform a simple query: import sys import ldap Server = "ldap://my-ldap-server" DN, Secret, un = sys.argv[1:4] Base = "dc=mydomain,dc=co,dc=uk" Scope = ldap.SCOPE_SUBTREE Filter = "(&(objectClass=user)(sAMAccountName="+un+"))" Attrs = ["displ...


python - User Authentication in Django

is there any way of making sure that, one user is logged in only once? I would like to avoid two different persons logging into the system with the same login/password. I guess I could do it myself by checking in the django_session table before logging in the user, but I rather prefer using the framework, if there is already such functionality. Cheers, Thanks for the responses!


authentication - In Python, how might one log in, answer a web form via HTTP POST (not url-encoded), and fetch a returned XML file?

I am basically trying to export a configuration file, once a week. While the product in question allows you to log in manually via a web client, enter some information, and get an XML file back when you submit, there's no facility for automating this. I can get away with using Python 2.5 (have used for a while) or 2.6 (unfamiliar) to do this. I think I need to have some way to authenticate against the pr...


Python - downloading a file over HTTP with progress bar and basic authentication

I'm using urllib.urlretrieve to download a file, and implementing a download progress bar using the reporthook parameter. Since urlretrieve doesn't directly support authentication, I came up with import urllib def urlretrieve_with_basic_auth(url, filename=None, reporthook=None, data=None, username="", password=""): class OpenerWith...


authentication - What's the best way to specify a proxy with username and password for an **https** connection in python?

I read somewhere that currently urllib2 doesn't support authenticated https connection. My proxy uses a basic authentication only, but how to open an https based webpage through it . Please help me. Thanks.


python - Using AD as authentication for Django

I'm working on a Django-based application in a corporate environment and would like to use the existing Active Directory system for authentication of users (so they don't get yet another login/password combo). I would also like to continue to use Django's user authorization / permission system to manage user capabilities. Does anyone have a good example of this?


python - Google Data API authentication

I am trying to get my Django app (NOT using Google app engine) retrieve data from Google Contacts using Google Contacts Data API. Going through authentication documentation as well as Data API Python client docs ...


json - Authentication Required - Problems Establishing AIM OSCAR Session using Python

I'm writing a simple python script that will interface with the AIM servers using the OSCAR protocol. It includes a somewhat complex handshake protocol. You essentially have to send a GET request to a specific URL, receive XML or JSON encoded reply, extract a special session token and secret key, then generate a response using the token and the key. ...






Still can't find your answer? Check out these communities...



PySlackers | Full Stack Python | NHS Python | Pythonist Cafe | Hacker Earth | Discord Python



top