home > User Authentication with PostgreSQL database

User Authentication with PostgreSQL database


You want a system to authenticate users, with a postgresql database.


A user authentication system could have a lot of functions. For this example, we’re only going to manage the authentication process, through a postgresql database.


web.py for all the web functions, and hashlib to store the passwords securely:

import web
import hashlib

1st: The database

First of all, we need a table for the users. This scheme is very simple, but is enough for a lot of projects.

CREATE TABLE example_users
  id serial NOT NULL,
  user character varying(80) NOT NULL,
  pass character(40) NOT NULL,
  email character varying(100) NOT NULL,
  privilege integer NOT NULL DEFAULT 0,
  CONSTRAINT utilisateur_pkey PRIMARY KEY (id)

2nd: the urls

There will be 2 states during the login/logout session:

  • “Login” is for the login page
  • “Reset” for the logout page.

sessions doesn’t work in debug mode because it interfere with reloading. see session_with_reloader for more details.

import web
web.config.debug = False
urls = (
    '/login', 'Login',
    '/reset', 'Reset',

app = web.application(urls, locals())
db = web.database(dbn='postgres', db='YOURDB', user='USERNAME', pw='PASSWORD')
store = web.session.DiskStore('sessions')
session = web.session.Session(app, store,
                              initializer={'login': 0, 'privilege': 0})

3rd: Logged or not logged ?

To manage the access for people who are logged or not is very easy. Just define the logged expression like this, and use it for your login/reset classes:

def logged():
    if session.login==1:
        return True
        return False

4th: Easy Privleges Management

I manage my users in 4 categories: admin+user+reader (logged), and visitors (not logged). The directory template is choosing according to the privilege specified in the table example_users.

def create_render(privilege):
    if logged():
        if privilege == 0:
            render = web.template.render('templates/reader')
        elif privilege == 1:
            render = web.template.render('templates/user')
        elif privilege == 2:
            render = web.template.render('templates/admin')
            render = web.template.render('templates/communs')
        render = web.template.render('templates/communs')
    return render

5th: Login and Reset Python Classes

Now, let’s have fun:

  • If you are already logged, you are redirecting to the login_double.html template file
  • Else, to the login.html.
class Login:
    def GET(self):
        if logged():
            render = create_render(session.privilege)
            return '%s' % render.login_double()
            render = create_render(session.privilege)
            return '%s' % render.login()
  • Ok, ok. Now, for the POST(). According to the .html file, we recover the variables posted in the form (see the login.html), and we compare it to the example_users.user row.
  • For security, we don’t store passwords in the database directly, but store the hash of the password + salt; this is kind of line one-way encryption, so we can tell if the user’s passwords match, but an attacker couldn’t figure out what the password was to start with.
  • If the login/pass is ok, redirect to the login_ok.html.
  • If not, redirect to the login_error.html.

      def POST(self):
          name, passwd = web.input().name, web.input().passwd
          ident = db.select('example_users', where='name=$name', vars=locals())[0]
              if hashlib.sha1("sAlT754-"+passwd).hexdigest() == ident['pass']:
                  session.login = 1
                  session.privilege = ident['privilege']
                  render = create_render(session.privilege)
                  return render.login_ok()
                  session.login = 0
                  session.privilege = 0
                  render = create_render(session.privilege)
                  return render.login_error()
              session.login = 0
              session.privilege = 0
              render = create_render(session.privilege)
              return render.login_error()

For the reset function, we just kill the session, and redirect to the logout.html template file.

class Reset:

    def GET(self):
        session.login = 0
        render = create_render(session.privilege)
        return render.logout()

6th: HTML templates help

Well, I think that nobody will need this, but, I prefer to give all the informations. The most important is the login.html.

<form action="/login" method="POST">
	<table id="login">
			<td>User: </td>
			<td><input type="text" name="user"></td>
			<td>Password: </td>
			<td><input type="password" name="passwd"></td>
			<td><input type="submit" value="LOGIN"></td>

7th: Some problems or questions ?

  • Mail: you can contact me at guillaume(at)process-evolution(dot)fr
  • IRC: #webpy on irc.freenode.net (pseudo: Ephedrax)
  • Translations: I’m french, and my english is bad…you can edit my work
  • Revision: Vayn