Ticket #749 (defect)
Opened 9 months ago
Last modified 2 weeks ago
digest auth does not work with POST and InternalRedirect
Status: closed (wontfix)
| Reported by: | guest | Assigned to: | lawouach |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | CherryPy code | Keywords: | |
| Cc: | umaxx@oleco.net |
if submitted a post request and start an InternalRedirect? -> digest auth will ask again for password and user is no longer able to log in:
reproduce-able with following code:
import cherrypy
class Root:
@cherrypy.expose
def index(self):
return """<html>
<head></head>
<body>
<a href="/sub">sub area</a>
<form action="/sub" method="post">
<input type="hidden" name="submitted" value="True" />
<input type="submit" name="select" value="Select" />
</form>
</body>
</html>
"""
@cherrypy.expose
def sub(self, select=None, submitted=None):
#if submitted == "True":
raise cherrypy.InternalRedirect("/sub2")
return "This is a sub1 area"
@cherrypy.expose
def sub2(self, select=None):
return "This is a sub2 area"
if __name__ == '__main__':
def get_users():
return {'test': 'test'}
conf = {'/': {'tools.digest_auth.on': True,
'tools.digest_auth.realm': 'Some site',
'tools.digest_auth.users': get_users}}
root = Root()
cherrypy.quickstart(root, '/', config=conf)
just press select on index page... GET seems to be working fine tested with 3.0.1 and 3.0.2 and python 2.4 on openbsd
Change History
11/05/07 15:30:10: Modified by guest
- cc set to umaxx@oleco.net.
01/16/08 16:39:26: Modified by lawouach
- owner changed from rdelon to lawouach.
- status changed from new to assigned.
01/16/08 17:12:19: Modified by fumanchu
02/18/08 13:26:38: Modified by lawouach
I agree with fumanchu. InternalRedirect? is one of those features that CP brings that can have nasty side effects if we push its use too far. Usually speaking doing a redirect on a POST, be it transparent to the client is not a nice idea IMO and I think it would be better practice to write tools that pre-process either the body and headers before hitting the appropriate page handlers.
I think we should close this ticket as invalid unless a better use case is shown.
02/20/08 14:56:51: Modified by guest
Hi, I reported this ticket. It's okay for me if it will be closed with "wontfix" or something, I understand if it's too hard to implement.
Just one additional question: in which case is an InternalRedirect? really needed?
And for the record, this issue came up as we wanted to use InternalRediret? instead of HTTPRedirect here: http://www.petunial.de/devel/browser/trunk/petunial/_frontends/_web/_validate.py in line 212 and 215. The idea behind was to call validator.run() in any cherrypy function and redirect to the same function if errors in forms occur... using InternalRedirect? has the advantage that the url is not rewritten but HTTPRedirect with given url/path is fine too - maybe we rewrite this to a pre-processing tool sometime.
07/09/08 02:29:45: Modified by nick125
- status changed from assigned to closed.
- resolution set to wontfix.
POST in general doesn't work with InternalRedirect?, and I'm not sure it's worth fixing. It would require making a wrapper for the request body to track whether and how much of it had been read, plus a lot more complexity in the WSGI redirector.