[mod_python] Authentication behaviour

Mike Looijmans mike.looijmans at asml.com
Thu Aug 7 07:47:14 EST 2003

I think in this case, you may want to consider the alternative, which is to
just provide a 'regular' request handler, and when authentication is
required but not given, just return a "401 Unauthorized" response with a
WWW-Authenticate header specifying the realm.

That will give the user a password popup and the browser will then retry the
same request. Note that for large POST request, this is wasting a lot of
bandwidth, as the first (and therefore unauthorized) POST request will be
completely rejected! It may be better to direct the user to a GET page first
to authenticate, and only after that page start doing the POST things.

Note that (unless the "Digest" authentication algorithm is used) the "Basic"
HTTP authentication is highly insecure and therefore you should never ever
use unix account data for this. Digest is only supported by IE and probably
the newer Mozilla's (haven't tried those, NS 6 did not support it).

I prefer using session cookies for authentication, since that is (if
implemented properly) more secure and allows the user to log out.


-----Original Message-----
From: Conrad Steenberg <conrad at hep.caltech.edu>
To: ModPython mail list <mod_python at modpython.org>
Date: Thursday, August 07, 2003 7:31 AM
Subject: [mod_python] Authentication behaviour

>I have an authenhandler that basically ignores authentication headers
>for GET requests, but requires them to be present for POST requests.
>With Apache 2.0.46 this worked fine with a setup like e.g.
><Directory /opt/midir/>
>       SetHandler python-program
>       AddHandler python-program .py
>       PythonHandler my_handler
>       PythonAuthenHandler my_handler
>       AuthType Basic
>       AuthName "Restricted Area"
>In 2.0.47 the authenhandler doesn't get called unless I add
>      require valid-user
>to the above. But this makes browsers pop up a password dialog for
>requests without authentication headers (GET requests in this case).
>Is there any way to make the browser not pop up the password dialog, but
>still have the authenhandler called? I.e. where does the response get
>generated that returns a "authentication required" value to the browser,
>if not in the authenhandler?
>Any help appreciated!
>Conrad Steenberg <conrad at hep.caltech.edu>
>Mod_python mailing list
>Mod_python at modpython.org

More information about the Mod_python mailing list