0

I wrote a cherrypy server to facilitate a file download and I used cherrypy auth digest to authenticate it. The configuration for this is:

conf = {
   '/getXML': {
        'tools.auth_digest.on': True,
        'tools.auth_digest.realm': None,
        'tools.auth_digest.get_ha1': auth_digest.get_ha1_dict_plain(USERS),
        'tools.auth_digest.key': <some_key>
   }
}

What is the role of that key?

Also, upon successful authentication, when I hit the server again it remembers login and does not prompt for credentials again. How can I ask for credentials for each and every request without remembering login?

Pravesh Jain
  • 4,128
  • 6
  • 28
  • 47

1 Answers1

0

Think of the key as a session id. You generate it once the user comes to your site...

cherrypy.session['_csrf_token'] = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(16))

then you set that id in the user's cookies and you compare the two keys to be sure you have the same user. That is the concept behind using the 'tools.sessions.on': True, setting in cherrypy. This allows you to know a user from one page to another in a stateless environment such as http.

https://cherrypy.readthedocs.org/en/3.3.0/refman/lib/auth_digest.html#cherrypy.lib.auth_digest.HttpDigestAuthorization.validate_nonce

**
validate_nonce(s, key)

    Validate the nonce. Returns True if nonce was generated by synthesize_nonce() and the timestamp is not spoofed, else returns False.

    s
        A string related to the resource, such as the hostname of the server.
    key
        A secret string known only to the server.

    Both s and key must be the same values which were used to synthesize the nonce we are trying to validate.
**

looks like forcing a logout with auth digest is not possible...

https://groups.google.com/d/msg/cherrypy-users/M-GUFH2mU_M/45zHnA5Y6XMJ

Here's more details on the digest authentication...

What is digest authentication?

But this is a simple authenication where you can force a logout...

How to logout from a simple web appl. in CherryPy, Python

Hope this helps!

Community
  • 1
  • 1
Andrew Kloos
  • 4,189
  • 4
  • 28
  • 36
  • After making a a successful request, I searched my browser's local storage and cookies but could not find that key. How is the server storing this key? – Pravesh Jain Nov 07 '15 at 18:55
  • I've updated my answer and added a link with more details about digest authentication but I don't think you'll achieve what you want without looking into the 'tools.sessions.on': True setting. – Andrew Kloos Nov 08 '15 at 15:18
  • Thanks Andrew. I tried setting 'tools.sessions.on' to false but it didn't help. – Pravesh Jain Nov 09 '15 at 06:55
  • I'm saying digest auth will not help your situation you need to look into using cherrypy sessions... http://stackoverflow.com/questions/13318215/how-to-logout-from-a-simple-web-appl-in-cherrypy-python – Andrew Kloos Nov 10 '15 at 18:57