Create a Simple Session Aware SSL Bottle LoginPublished on:
Bottle is a great micro web framework that can be as minimalist or feature rich as one wants. Bottle is great for rapid development and for debugging. However, Bottle is not recommended to be deployed in production as it lacks security and speed. The developers of Bottle know this and so made Bottle easily extendible.
A common want in web programming is having a secure login page and to remember the logged in user. This cannot be achieved without extending Bottle through various plugins. What this page shows is how to configure bottle so that this want can be satisified. In the end the web page will be able to take a user name and password and verify it on a linux server.
- Python 2.5+. Minimum requirement to run Bottle and friends.
- Bottle: This will be the web framework that will have everything based on it.
- CherryPy: Bottle can’t achieve SSL or heavy traffic, so this is where CherryPy comes in.
- Beaker: Will be used as Bottle middleware that allows session data.
- PyOpenSSL: CherryPy can’t operate SSL without this!
- OpenSSL: Program used to generate the self signed certificate.
OpenSSL and Self Signed Certificates
First the SSL certificate and private key are generated using OpenSSL. It is absolutley critical to generate a private key with 1024 bits else Internet Explorer will not display the page no matter what. The generated files, in this case privkey.pem and cacert.pem. For simplicity’s sake, these are stored inside the directory.
genrsa -out privkey.pem 1024 req -new -x509 -key privkey.pem -out cacert.pem -days 1095
While the source code can speak for itself I thought I would highlight some more of confusing aspects of this project.
Bottle and SSL
As previously dicussed, Bottle does not support SSL; however, CherryPy has it
implemented. The question is, how can we run Bottle with a SSL enabled CherryPy
server? When starting the Bottle application, one can specify the server to run
server='<serverName>'. The first thought is to have
server='cherrypy', but this starts the default CherryPy server which is not
SSL enabled. We don’t want the default server, we want a way to specify options
such as where the private key and certificate are located. The Bottle
documentation is nonexistant on how to accomplish this, so I didn’t know if this
was even possible. When encountered with a siutation such as this, a definitive
answer will be found inside the source code. I found that
instead of string parameter for
server that a subclass of Bottle’s
ServerAdapter is also valid. That was the hard part. Subsequently I looked at
another website as to how to configure CherryPy so that it used
my private key and certification.
If you'd like to leave a comment, please email firstname.lastname@example.org