Issue #749 resolved

digest auth does not work with POST and InternalRedirect

created an issue

if submitted a post request and start an InternalRedirect -> digest auth will ask again for password and user is no longer able to log in:

reproduce-able with following code:

{{{ import cherrypy

class Root: @cherrypy.expose def index(self): return """<html> <head></head> <body> <a href="/sub">sub area</a> <form action="/sub" method="post"> <input type="hidden" name="submitted" value="True" /> <input type="submit" name="select" value="Select" /> </form> </body> </html> """

def sub(self, select=None, submitted=None):
    #if submitted == "True":
    raise cherrypy.InternalRedirect("/sub2")
    return "This is a sub1 area"

def sub2(self, select=None):
    return "This is a sub2 area"

if name == 'main': def get_users(): return {'test': 'test'}

conf = {'/': {'tools.digest_auth.on': True,
                   'tools.digest_auth.realm': 'Some site',
                   'tools.digest_auth.users': get_users}}
root = Root()
cherrypy.quickstart(root, '/', config=conf)


just press select on index page... GET seems to be working fine tested with 3.0.1 and 3.0.2 and python 2.4 on openbsd

Comments (6)

  1. Robert Brewer

    POST in general doesn't work with InternalRedirect, and I'm not sure it's worth fixing. It would require making a wrapper for the request body to track whether and how much of it had been read, plus a lot more complexity in the WSGI redirector.

  2. Anonymous

    I agree with fumanchu. InternalRedirect is one of those features that CP brings that can have nasty side effects if we push its use too far. Usually speaking doing a redirect on a POST, be it transparent to the client is not a nice idea IMO and I think it would be better practice to write tools that pre-process either the body and headers before hitting the appropriate page handlers.

    I think we should close this ticket as invalid unless a better use case is shown.

  3. guest reporter

    Hi, I reported this ticket. It's okay for me if it will be closed with "wontfix" or something, I understand if it's too hard to implement.

    Just one additional question: in which case is an InternalRedirect really needed?

    And for the record, this issue came up as we wanted to use InternalRediret instead of HTTPRedirect here: in line 212 and 215. The idea behind was to call in any cherrypy function and redirect to the same function if errors in forms occur... using InternalRedirect has the advantage that the url is not rewritten but HTTPRedirect with given url/path is fine too - maybe we rewrite this to a pre-processing tool sometime.

  4. Log in to comment