Posts Tagged ‘Hack’

Cherrypy Digest Auth POST problem (and solution!)

Friday, July 18th, 2008

When using Digest Authentication with Cherrypy, if a client tries to authenticate a session from a page with a POST body, the credentials will be rejected even if they are correct. This is due to how Cherrypy’s digest_auth tool handles the initial request and request body.

The Problem

In Cherrypy 3, when utlizing Digest Authentication (via tools.digest_auth), if the first request to a protected area comes from a POST request (with HTTP body), the client will not be able to authenticate properly.

Example: Posting from an HTML form to a protected action, the client will be prompted for credentials. After supplying a good username and password, Cherrypy will reject and the request and ask for credentials again.

The Cause

First a primer on Digest Authentication:

The Process

  1. The client requests a protected url URL (eg: /secret)
  2. The server tries to authenticate the request from the HTTP headers for the URL. There are not credentials, so this fails. The server replies with an HTTP Status code of 401: Not Authorized
  3. The client recieves this requests and gets a username and password (from an operator or database or other source)
  4. The client requests the URL again, but adds the credentials to the “Authorization” HTTP Header.
  5. The server tries again to authenticate. If the credentials are good, the resource at /secret is served. If authentication fails, The server responds with 401 …
  6. rinse and repeat..

(more…)

Tags: , , , , ,
Posted in Cherrypy, Python | 4 Comments »