[mod_python] Custom Login with redirection back to referer

Graham Dumpleton grahamd at dscpl.com.au
Sat May 20 03:40:30 EDT 2006


On 20/05/2006, at 4:38 PM, Deron Meranda wrote:

> On 5/20/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
>> The HTTP specification actually says for 307 (Temporary Redirection),
>> which is what one would want to use:
>
> Yes, that works too and is quite common, although be aware that
> most older browsers don't understand a 307.  So put a link
> on the redirecting HTML page as well.  I'd stay away from a
> 302 though because it's semantics are more ambiguous.

Arrggh, I actually meant to say 302 and not 307, as util.redirect()
uses a 302. The specification still says much the same thing.

   The requested resource resides temporarily under a different URI.  
Since
   the redirection might be altered on occasion, the client SHOULD  
continue
   to use the Request-URI for future requests. This response is only  
cacheable
   if indicated by a Cache-Control or Expires header field.

Thus same argument should apply unless browser/cache is truly old.

> I still prefer to send back a 401 or 403 as the semantics are
> much more explicit as to what is happening (the user
> doesn't have permissions to view the page).  This may be
> important if you want to adhere to a REST design.  Also,
> unlike redirects of various flavors, a 40x won't confuse any
> spiders crawling your site (whether a public search engine,
> or your own indexer, or perhaps even a site mirror-er).
> Other rare edge cases could also occur with redirects, such
> as a user doing a "save target as" where the link is to a URL
> requiring login first.  Rather than seeing an error message, the
> user may later find that the file they saved was actually the
> HTML source to your login page.
>
> This is mostly academic of course, but the intended purpose of
> a 30x redirect is to say that the resource (or equivalent) which was
> supposed to be at URL A can instead be found at URL B.  But in
> this scenario that's not what you're doing.  URL A is simply not
> accessible because of permissions, and URL B is a completely
> different resource---the login page.
>
> But do what you want.  Many/most sites use 30x.  The main
> disadvantages of the 40x codes is that there is no auto
> reloading; and that can often be more important than having
> the precisely correct semantics.  With a 40x, the user will have
> to click on a link on the error page to get to the login page.

Can't one use JavaScript or HTTP-EQUIV header in 40x error response
to get browser to redirect automatically?

> But then again, depending on your usability philosophy, that
> may be more desirable.  Seeing an error page saying you
> need to login before your can view the page may be less of
> a surprise then just seeing a login form when you expected
> something else, with no explanation why.

What is you attitude on having the login form in the 40x error page  
itself?

Anyway, see where you are going now. What I'll do is post up my session
login stuff using 302 redirects, and then if I have time, will try  
and modify
it to use ideas you are talking about and see if we can't come up  
with code
for each which people can compare. Someone will just have to convert
my code to work with mod_python 3.2.8. :-)

Graham




More information about the Mod_python mailing list