[mod_python] Custom Login with redirection back to referer

Deron Meranda deron.meranda at gmail.com
Sun May 21 00:47:57 EDT 2006

On 5/20/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
> Can't one use JavaScript or HTTP-EQUIV header in 40x error response
> to get browser to redirect automatically?

If your response is HTML (as is typically the case), yes you can
do that.  But again, being somewhat of a "purist" I wouldn't. The
http-equiv is really there to "store" any important HTTP headers
which affect how the page may be interpreted, such as content-type
or charset, so the page can be properly rendered statically while
offline (i.e., not over HTTP).  Any http-equiv meta elements in your
document should correspond exactly to the same HTTP headers
you serve up with that document.  In fact, I've gone so far as to
enforce this in the mini-frameworks I build on top of mod_python,
so I never have an http-equiv which doesn't match exactly a real
HTTP header.

If you really want an automatic redirect, you probably should just
go ahead and use one of the 30x responses...or use some
javascript to reload the error page to the login page after a
suitable delay.

> What is you attitude on having the login form in the 40x error page
> itself?

I guess that is a possibility.  It really depends on your needs
and the complexity of your login form processing---using
captchas or SecureID, etc, may be challenging to do from
within an error response page.  But, I've never tried that.
I do know that Apache tends makes it hard to do anything
sophisticated on an error response page.  I'm also not sure
if there might be some strange interactions with some browser
form-remembering features.  It would be interesting to try.

An important point though is that I use 403's in many different
"permission denied" cases, some of which are because the user
isn't logged in, and others when logging in won't make any
difference (a simple example is "directly listing is prohibited").  So
you still want your 403 error page to look like an error page,
notifying the user that there could be any number of reasons
why they may not have permissions to retrieve the resource; and
then suggesting that they may try logging in (but with no promises).

Technically, a 401 would be more appropriate than a 403 for
this very reason; but then you are restricted to using a standard
authentication mechanism, or one that the browsers understand
(not a form-based login).

One thing that would be nice to be able to do is to pass
information to the Apache error page, so it can be more
specific in the human-readable part of the reponse. Perhaps
the new SSI hooks you added might make that possible ??

Looking forward to seeing your code.  I'm excited about many of
the auth* integration features you added, but haven't had time to
play with them in the trunk yet.
Deron Meranda

More information about the Mod_python mailing list