I am developing a website using Google app engine and I want to know what is the proper way to handle the submission.
I was thinking of doing something like hashing the password client-side with some salt, and then hash it again with some other salt on the server-side.
I want to know if this is at least some decent security, and if it already exists a Python library that does just that or something better.
The standard practice is to use SSL encryption for the connection (e.g. https), then hash it with a salt on the server side. When later a user logs in, you will have to still verify the password and sending a hash of the password from browser to server is just as insecure as sending the password itself; an attacker that intercepts either can still log in as that user.
There is a python package called passlib that can take care of the various forms of password hashing and salting for you:
from passlib.hash import sha256_crypt
hashed = sha256_crypt.encrypt(password)
It is generally a good idea to include the choosen algorithm in the stored password hash; RFC 2307 passwords (as used in LDAP) use a {SCHEME} prefix, other hash schemes use a unix $digit$ prefix, where digit is a number; the sha256 scheme in the code snippet above uses $5$ as a prefix.
That way you can upgrade your password scheme at a later time while still supporting older schemes by choosing the correct hashing algorithm to verify a password at a later time.
Most passlib hashing schemes already return hashes with their standard prefix, documented in each scheme's detailed documentation page. You can use the .identify() function to identify what hash algorithm was used when you later need to verify a password hash against an entered password.
You are looking for a digest authentication. Digest Auth is secure, that means, the password is not transfered in clear text. However, the communication after the auth is not encrypted.
See a full example here: http://code.activestate.com/recipes/302378-digest-authentication/
