* Bill Moseley <mose...@hank.org> [2009-09-30 16:00]: > I also do not detach to a login page, rather I always redirect. > Not sure I remember the details of that choice, but one reason > might have been I didn't want a URL for one resource to return > a 200 yet not return the response for that URL and instead > return a login form.
I detach. My login action sets status 403 and pragma no-cache (etc) when it’s not requested directly. I’d love to be able to just send 401 instead and let the user agent take care of everything (which would transparently and securely deal with POSTs sent with expired auth credentials) – unfortunately the HTTP Auth UI in browsers is universally shoddy. If I felt the need, I could also check for browser vs automated agent and send either form + 403 to browsers and just a 401 to other clients. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/