Working on a log in script to my webpage

[Pete.....]

Hi all I am working on a log in script for my webpage.

I have the username and the password stored in a PostgreSQL database.

The first I do is I make a html form, where the user can type in his
username and code, when this is done I want to run the
script(testifcodeisokay) that verifies that the code and username are the
right ones ( that means if they match the particular entered username and
password) If they are then I want to load page1 if they are not I want to
load the loginpage again.

Login page:

print '''<form action=testifcodeisokay.py'><br>
<p>Username:<br> <INPUT type="text" NAME="username">
<p>Code:<br> <INPUT type="text" NAME="code"></p>'''

print '''<p><input type=submit value='Submit'></p></form>'''
print '''</body> </html>'''

This works.
Here I store the entered text in the variables "username" and "code"
I then get the entered value by

testifcodeisokay script

connect = PgSQL.connect(user="user", password="password", host="host",
database="databse")
cur = connect.cursor()

form = cgi.FieldStorage()
username = form["username"].value
code= form["code"].value

I then want to test if they match the ones in the database

insert_command = "SELECT username, code FROM codetable WHERE
codetable.username = '%s' AND codetable.code = '%s' " %(username, code)
cur.execute(insert_command)

I should then have found where the entered username,code (on the login page)
is the same as those in the database.

But now I am stuck.

Does any know how I can then do something like:

If the codes from the loginpage matches the users codes in the db
Then the user should be taken to page1
IF the codes arnt correct the login page should load again.

The program dosnt need to remember who the user is, after the user has been
loggen in, it is only used to log the user in.

Thanks for your time..

 

[Steve Holden]

Hi all I am working on a log in script for my webpage.

I have the username and the password stored in a PostgreSQL database.

The first I do is I make a html form, where the user can type in his
username and code, when this is done I want to run the
script(testifcodeisokay) that verifies that the code and username are the
right ones ( that means if they match the particular entered username and
password) If they are then I want to load page1 if they are not I want to
load the loginpage again.

Login page:

print '''<form action=testifcodeisokay.py'><br>
<p>Username:<br> <INPUT type="text" NAME="username">
<p>Code:<br> <INPUT type="text" NAME="code"></p>'''

print '''<p><input type=submit value='Submit'></p></form>'''
print '''</body> </html>'''

This works.
Here I store the entered text in the variables "username" and "code"
I then get the entered value by

testifcodeisokay script

connect = PgSQL.connect(user="user", password="password", host="host",
database="databse")
cur = connect.cursor()

form = cgi.FieldStorage()
username = form["username"].value
code= form["code"].value

I then want to test if they match the ones in the database

insert_command = "SELECT username, code FROM codetable WHERE
codetable.username = '%s' AND codetable.code = '%s' " %(username, code)
cur.execute(insert_command)

This is an amazingly bad choice of variable name, since the command
doesn't actually insert anything into the database!

I should then have found where the entered username,code (on the login page)
is the same as those in the database.

But now I am stuck.

Does any know how I can then do something like:

If the codes from the loginpage matches the users codes in the db
Then the user should be taken to page1
IF the codes arnt correct the login page should load again.

The program dosnt need to remember who the user is, after the user has been
loggen in, it is only used to log the user in.

Thanks for your time..

The Python you want is almost certainly something like

if len(curs.fetchall()) == 1:
# username/password was found in db

although unless your database is guarantees to contain only one of each
combination it might be better to test

if len(curs.fetchall()) != 0:
# username/password was found in dbThere are other matters of concern, however, the most pressing of which is:

How am I going to stop user from navigating directly to page1?

Answering this question will involve learning about HTTP session state
and writing web applications. I could write a book on that subject

regards
Steve

 

[Pete.....]

How am I going to stop user from navigating directly to page1?

Answering this question will involve learning about HTTP session state and
writing web applications. I could write a book on that subject

regards
Steve

Thanks Steve

And yes I havnt thought about that, guess I have to figure something else
out.

 

[Kent Johnson]

Hi all I am working on a log in script for my webpage.

I have the username and the password stored in a PostgreSQL database.

You might want to look at Snakelets and CherryPy.

Snakelets is "a very simple-to-use Python web application server." One of the features is "Easy user
authentication and user login handling."
http://snakelets.sourceforge.net/

CherryPy is "a pythonic, object-oriented web development framework" that seems to be popular. A
recipe for password-protected pages in CherryPy is here:
http://www.cherrypy.org/wiki/PasswordProtectedPages

Kent

 

[Pete.....]

Thanks.

But I would really like to do this from scratch, so that I can learn it, I
dont think I need that much more, before it works.

I found an example with asp, where the save the session if the password is
correct. It isnt that long a code, so was wondering if it isnt possible to
make something like that in python. Cause when this code is applied to the
loginform, CODE2 will only have to be applied to every following page and
everything is good.

code is from:
http://tutorialized.com/tutorial/Creating-a-Members-Area-in-ASP/2234
CODE1
Set objRS = objConn.Execute (strSQL)
'// see if there are any records returned
If objRS.EOF Then
'no username found
strError = "- Invalid username or password<br>" & vbNewLine
Else
'check password
If objRS("password")=Request.Form("password") Then
'username/password valid
'save session data
Session("loggedin") = True
Session("userid") = objRS("id")
'redirect to members area
Response.Redirect ("default.asp")
Response.End
Else
'invalid password
strError = "- Invalid username or password<br>" & vbNewLine

CODE2<%
If Session("loggedin") <> True Then Response.Redirect "login.asp"
%>
<html>
<head>
<title>Members Area</title>
</head>
<body>
<h1>Members Area</h1>
<p>Welcome to our members area!</p></body>
</html> In my code I have allready tested if the username and password is
correct, so I just need to do the cookie thing

Thanks all, hope all my questions dosnt make you tired, I just really wanna
figure this out, and I am doing this as a little hobby of mine, so I dont
have anyone else to ask, hope that is okay...

 

[Pete.....]

Hi all.

Unfortunaly it looks like I dont have to skill to make a secure log in, cant
figure out how the code has to look like, so guess my webpage has to live
with a security issue.

Thanks for the effort you put into teaching me the use of cookies.

Best wishes
Pete....

 

[Steve Holden]

Pete:

Don;t give up, load Webware or similar and use that!

regards
Steve

 

[Joe]

Pete,

What web server are you using?

Take a look at Apache and use digest authentication. The password is not
sent in clear text and it's fairly easy to setup. Plus you won't have to do
anything in your web pages. Once you setup digest authentication on the web
server for the specified directories, the user will be prompted by their
browser for the user / pswd and as long as the directories they access are
using the same authentication the user will not be prompted again until they
close their session.

It's pretty easy to setup.

Joe

 

[Fuzzyman]

Hi all.

Unfortunaly it looks like I dont have to skill to make a secure log in, cant
figure out how the code has to look like, so guess my webpage has to live
with a security issue.

Thanks for the effort you put into teaching me the use of cookies.

I've written a library called 'login_tools' that does login/user
management for CGI scripts. It doesn't use a database to store logins
though.

You can fins it at (with online example) :
http://www.voidspace.org.uk/python/logintools.html

If you want any help setting it up or working with it then feel free to
email me about it. It's possible to plug it in to existing CGI scripts
with literally two lines of code....

Regards,

Fuzzy
http://www.voidspace.org.uk/python/index.shtml