[mod_python] Custom Login with redirection back to referer

Deron Meranda deron.meranda at gmail.com
Sat May 20 02:38:10 EDT 2006 

On 5/20/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
> The HTTP specification actually says for 307 (Temporary Redirection),
> which is what one would want to use:

Yes, that works too and is quite common, although be aware that
most older browsers don't understand a 307.  So put a link
on the redirecting HTML page as well.  I'd stay away from a
302 though because it's semantics are more ambiguous.

I still prefer to send back a 401 or 403 as the semantics are
much more explicit as to what is happening (the user
doesn't have permissions to view the page).  This may be
important if you want to adhere to a REST design.  Also,
unlike redirects of various flavors, a 40x won't confuse any
spiders crawling your site (whether a public search engine,
or your own indexer, or perhaps even a site mirror-er).
Other rare edge cases could also occur with redirects, such
as a user doing a "save target as" where the link is to a URL
requiring login first.  Rather than seeing an error message, the
user may later find that the file they saved was actually the
HTML source to your login page.

This is mostly academic of course, but the intended purpose of
a 30x redirect is to say that the resource (or equivalent) which was
supposed to be at URL A can instead be found at URL B.  But in
this scenario that's not what you're doing.  URL A is simply not
accessible because of permissions, and URL B is a completely
different resource---the login page.

But do what you want.  Many/most sites use 30x.  The main
disadvantages of the 40x codes is that there is no auto
reloading; and that can often be more important than having
the precisely correct semantics.  With a 40x, the user will have
to click on a link on the error page to get to the login page.
But then again, depending on your usability philosophy, that
may be more desirable.  Seeing an error page saying you
need to login before your can view the page may be less of
a surprise then just seeing a login form when you expected
something else, with no explanation why.


> ... and may be even better for the login handler to
> only work with POST requests and disallow GET requests.

Restricting the method to POST on a login is also good for security.
-- 
Deron Meranda

More information about the Mod_python mailing list