htaccess does not require login when using POST

0
votes

I'm new to this so I'm hoping that this is just a issue of me not editing a config file properly. I have a protected directory in my cgi-bin called /auth. The auth directory has an .htaccess file in it. First I made the htpasswd file as follows...

htpasswd -c /var/pass/.htpasswd username

Then I made the .htaccess file and put it in the auth directory. The .htaccess file contains the following text...

AuthUserFile  /var/pass/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Directory"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

I put a sample python script in /cgi-bin/auth called Test.py which contains the following text...

#!/usr/bin/python
import cgi

form = cgi.FieldStorage()
print 'Content-Type: text/html\n'

if form.has_key('text'): print form['text'].value
else: print 'No text entered'

When I go to localhost/cgi-bin/auth/Test.py I get the password prompt and I can login and see the 'No text entered' text so I know it works.

My problem is that there is no password prompt when I submit data to this protected file using the POST method. For example, I made this file (called input.py) and put it in my /cgi-bin directory...

#!/usr/bin/python

print 'Content-Type: text/html\n'

print '<form method="post" name="form_transfer" action="/cgi-bin/auth/outputTest.py">'
print '<input type="hidden" name="text" value="transferred"/>'
print '</form>'

print '<a href="javascript:void(0)" onclick="document.form_transfer.submit(); return false">Click Me</a>'

I went to localhost/cgi-bin/input.py and clicked on the Click Me link and my simple example (the "Test.py" script) does not ask me for a password. It accepts the data and displays the text "transferred" immediately. How do I stop it from doing this? I want the user to have to login.

On a side note entering via GET actually DOES generate a password dialog (entered localhost/cgi-bin/auth/Test.py?text=printthis on my browser). For some reason POST is not working.

EDIT. Tyler Eaves solved this. In the htaccess file, instead of <LIMIT GET> I typed <LIMIT GET POST> and it worked.

1
pythonapache.htaccesscgi.htpasswd
For some reason? Don't you think it might have something to do with: <Limit GET>. Why do you think that would apply to POST also?Tyler Eaves
Eek that is probably it. Like I said, I'm new to this :/ I would accept your answer if I could...b10hazard

1 Answers

0
votes

Nevermind. Solved it. Thanks Tyler Eaves!

EDIT. Tyler Eaves solved this. In the htaccess file, instead of <LIMIT GET> I typed <LIMIT GET POST> and it worked.