authentication project

im working on a project that involves creating a back end solution to
authenticate and manage user

accounts for a website. im new to python and am looking for some good
references that can help me
While you do specify "back-end", I'm not clear enough on how
this will be invoked... CGI, mod_python, Zope/Plone (though that set
already has authentication out of the box), CherryPy...

Who is responsible for the Web interface to the user? The login
screen, session cookies (going to be needed to identify a user a
logged-in as they go from page to page).

Or are you just a small module that some other existing
web-application will make use of, where that application handles all
user interface and session management. Who handles session time-out, you
or the application? Who handles the confirmation link handling? {you'll
notice I'm making reference to thing below}
with this task.

the requirements for the project are as follows:

A new user can register with their email address and password of their
choice. Upon registration, a

confirmation email shall be sent which contains a link that needs to be
clicked on within a fixed
I hope your web interface is using encrypted sessions for the
password, though you shouldn't be storing the password in the database
anyway -- store some one-way hash of it.

Your master is probably going to have to invoke something like:

if not accountmanager.create(user, password):
# return message that the account could not be entered
# maybe the user is already in the database

accountmanager.create() will have to:
1 check for the existence of the user in the data and
reject the request if found
2 hash the password, store the user id, password, and time stamp
into the database (along with some record id for the email link
and a flag for UNCONFIRMED)
3 format a confirmation request email and send it out

The master, when the email link is clicked, will have to do
something of:

if not accountmanager.confirm(unique_link_id):
# return message that the account could not be
# confirmed -- perhaps too much time, or bogus
# link ID, or already confirmed

accountmanager.confirm() does
1 retrieve record with specified ID, rejecting if the ID is not
found
2 compare confirmation time with creation time stamp and
reject if too much time has passed. Maybe delete the
user record from the database (so the id can be reused
on a new registration attempt)
3 compare status flag and reject if already confirmed
4 accept confirmation and update status flag to CONFIRMED
and set the account to UNLOCKED
The master, on a normal page request will check for a valid
session cookie; if found, it goes on -- otherwise it puts up the login
page and...

status = accountmanager.login(user, password)
if status == INCORRECT:
# return message about incorrect user/password
# DO NOT be particular, you don't want to tell someone
# that a password is incorrect for a valid user id, or
# that a user id is unknown
elif status == LOCKED:
# return message about locked account
else:
# set time limited session cookie

accountmanager.login() needs to do:
1 retrieve record for user; if no such user reject as INCORRECT
2 compare hashed password to saved hash; if no match,
reject as INCORRECT (ONLY AFTER COMPUTING LOCKED
STATE). Check "time of last login attempt" -- if
this attempt is > whatever the attempt period is, save this
time as the "time of last login attempt" and save Tries = 1. If
this attempt time is < time of last + attempt period, save Tries
Tries + 1. If Tries > limit, save and return status as LOCKED.
3 save time as time of last login attempt, optionally return Tries
so master can produce a "there were x failed login attempts
since your last successful login", return SUCCESS

-- ================================================== ============ <
wl*****@ix.netcom.com | Wulfraed Dennis Lee Bieber KD6MOG <
wu******@dm.net | Bestiaria Support Staff <
================================================== ============ <
Home Page: <http://www.dm.net/~wulfraed/> <
Overflow Page: <http://wlfraed.home.netcom.com/> <