[mod_python] Custom Login with redirection back to referer

Deron Meranda deron.meranda at gmail.com
Fri May 19 15:49:10 EDT 2006 

On 5/19/06, Geoff Skerrett <geoff at teammsa.com> wrote:
> I am hoping someone can get me back on track and point me in thr right
> direction.
>
> I want to create a process where if the user requests a page they are not
> authorized for then;
> 1) a custom logon form is displayed
> 2) the users submits and it is processed verifying against a database if the
> user is valid
> 3) as part of the processing a session is created
> 4) the session stores the some data  (userid, name, lastip, etc)
> 5) when complete the system redirects the user to the original page (ie the
> referrer for the login)
>
> I have a test case working and using the util.redirect function.  Everything
> works fine, but the referred page is processed, it gets a new session so the
> variables I have stored during the login page process aren't available to
> the refered page.
>
> What am I missing? What is the best strategy for storing the session
> variables and dealing with this type of process ?

First of all, be cautious using redirection for that purpose.  Proxy
servers, caching, and the like may decide to just cache the
redirects too.  And then you'd have cross-user contamination.

A better approach that more closely follows the HTTP standard
semantics is to have your authentication handler cause an
HTTP 403 error when the user doesn't have permissions.
      m.abort(403)

Then Apache will display the standard 403 error handler page.
You should replace/modify that page to contain some text
that provides a link to the login page
     <a href="/login">Please login to view this page</a>

Then your login page handler should capture the value of
the HTTP_REFERER (if any) and save it.  The referer in
this case will be the original URL which failed your access
control checks (not the 403 error page).  If you're putting
up an HTML login form, then stick the value of the
referer into a hidden <input> element, so you can preserve
it.  Note that you should handle the case where there is
no referer too.

After the user types in their login credentials and you
successfully process the login form and authenticate the user,
you can retrieve the value of the referer from the input field.
And if it exists do your redirect back to the original page.
Or you could display a "welcome" greeting page first, which
then contained a link to "go back" to the page you originally
tried to view.
-- 
Deron Meranda

More information about the Mod_python mailing list