1.2.3 Authentication and Authorisation

Once the auth environment is set up and the appropriate users and access priveledges have been set up you will want to authorise and authenticate users.

In order to authenticate a user the user needs to be able to sign in with their username and password. In order to remain signed in the user information needs to be stored somewhere so that the user isn't immediately signed out agian on the next HTTP request.

The web.auth module uses a web.session module session store to store the auth session information about the current signed in user. This means you need to setup a web.seesion store as shown below. See the web.session module for full details. The session store for the auth session information is normally called auth but you can use whichever session store you prefer. You should be sure that the variables set in the store are not going to be accidently over-written by other applications by choosing a sotre name that other applications do not have access to.

import web.session
session = web.session.manager(driver='database', cursor=cursor, autoCreate=1)
if not session.load():
store = session.store('auth')

In order to authenticate users you will need to use a manager object. This has all the functionality of the admin object already described but also has session functionality.

import web.auth
auth = web.auth.manager(

The manager object takes the parameters store, idle and expire in addition to all the parameters of the admin object. store is the session store to use for the auth session, expire is the maximum length of time a user can be signed in for. If expire is 0 it means the user can be signed in indefinately (although practically the session from the web.session itself will not last forever). idle is the maximum length of time a user can be signed in for without visiting the site. Again a value of 0 means there is no limit.