Secure authentication system in python?

2024/4/15 2:12:18

I am making a web application in python and I would like to have a secure login system.

I have done login systems many times before by having the user login and then a random string is saved in a cookie which is also saved next to that user in a database which worked fine but it was not very secure.

I believe understand the principles of an advanced system like this but not the specifics:

  • Use HTTPS for the login page and important pages
  • Hash the password saved in the database(bcrypt, sha256? use salt?)
  • Use nonces(encrypted with the page url and ip?)

But apart from those I have no idea how to reliably check if the person logged in is really the user, or how to keep sessions between page requests and multiple open pages securely, etc.

Can I have some directions (preferably specific ones since I am new to this advanced security programming.

I am just trying to accomplish a basic user login-logout to one domain with security, nothing too complicated.


This answer mainly addresses password hashing, and not your other subquestions. For those, my main advice would be don't reinvent the wheel: use existing frameworks that work well with GAE. It offers builtin deployments of Django, but also has a builtin install of WebOb, so various WebOb-based frameworks (Pyramid, Turbogears, etc) should also be considered. All of these will have premade libraries to handle a lot of this for you (eg: many of the WebOb frameworks use Beaker for their cookie-based session handling)

Regarding password hashing... since you indicated in some other comments that you're using Google App Engine, you want to use the SHA512-Crypt password hash.

The other main choices for storing password hashes as securely as possible are BCrypt, PBKDF2, and SCrypt. However, GAE doesn't offer C-accelerated support for these algorithms, so the only way to deploy them is via a pure-python implementation. Unfortunately, their algorithms do way too much bit-fiddling for a pure-python implementation to do a fast enough job to be both secure and responsive. Whereas GAE's implementation of the Python crypt module offers C-accelerated SHA512-Crypt support (at least, every time I've tested it), so it could be run at sufficient strength.

As far as writing actual code goes, you can use the crypt module directly. You'll need to take care of generating your own salt strings when passing them into crypt, and when encrypting new passwords, call crypt.crypt(passwd, "$6$" + salt). The $6$ tells it to use SHA512-Crypt.

Alternately, you can use the Passlib library to handle most of this for you (disclaimer: I'm the author of that library). For quick GAE deployment:

from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["sha512_crypt"], default="sha512_crypt", sha512_crypt__default_rounds=45000)
# encrypt password 
hash = pwd_context.encrypt("toomanysecrets")# verify password
ok = pwd_context.verify("wrongpass", hash)

Note: if care about password security, whatever you do, don't use a single HASH(salt+password) algorithm (eg Django, PHPass, etc), as these can be trivially brute-forced.

Related Q&A

Finding All Positions Of A Character In A String

Im trying to find all the index numbers of a character in a python string using a very basic skill set. For example if I have the string "Apples are totally awesome" and I want to find the pl…

DataError: (1406, Data too long for column name at row 1)

Ive read nearly all other posts with the same error and cant seem to find a proper solution. In my file I have this:class LetsSayCups(models.Model):name = models.CharField(max_length=65535)de…

Continued Fractions Python [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.Want to improve this question? Update the question so it focuses on one problem only by editing this post.Closed 7…

Spark: equivelant of zipwithindex in dataframe

Assuming I am having the following dataframe:dummy_data = [(a,1),(b,25),(c,3),(d,8),(e,1)] df = sc.parallelize(dummy_data).toDF([letter,number])And i want to create the following dataframe: [(a,0),(b,2…

How to find list comprehension in python code

I want to find a list comprehension in python source code, for that I tried to use Pygments, but it didnt find the way to do that. To be more specific, I want to do a function that recognize all the po…

Save XLSX file to a specified location using OpenPyXL

Im having an issue saving my file to a certain location on my Raspberry PI (Raspbian) computer. Im wanting the XLSX file to be saved directly to my desktop rather than the folder holding the Python Sc…

Pandas read csv dateint columns to datetime

Im new to both StackOverflow and pandas. I am trying to read in a large CSV file with stock market bin data in the following format:date,time,open,high,low,close,volume,splits,earnings,dividends,sym 20…

Pydantic - Dynamically create a model with multiple base classes?

From the pydantic docs I understand this: import pydanticclass User(pydantic.BaseModel):id: intname: strclass Student(pydantic.BaseModel):semester: int# this works as expected class Student_User(User, …

Handling nested elements with Python lxml

Given the simple XML data below:<book><title>My First Book</title><abstract><para>First paragraph of the abstract</para><para>Second paragraph of the abstract&…

Easiest way to plot data on country map with python

Could not delete question. Please refer to question: Shade states of a country according to dictionary values with Basemap I want to plot data (number of sick people for a certain year) on each state o…