repoze.who.plugins.formcookie – CookieRedirectingFormPlugin

Author:Domen Kožar <domen[ATNOSPAM]>
Bug tracker:


CookieRedirectingFormPlugin is based on repoze.who.plugins.form.RedirectingFormPlugin with slight changes:

  • uses browser cookie (or custom setting) to remember restricted location and redirects after successful login.
  • offers force_https parameter to ignore non-https logins (and raises 401)


class repoze.who.plugins.formcookie.CookieRedirectingFormPlugin(login_form_path, login_handler_path, logout_handler_path, rememberer_name, default_redirect_path='/', logout_redirect_method='cookie', login_redirect_method='cookie', username_field='login', password_field='password', force_https=False, encoding='utf-8', fail_redirect_path=None)
  • login_form_path – relative URL to login html form
  • login_handler_path – relative URL to login process
  • logout_handler_path – relative URL to logout process
  • rememberer_name – identifier plugin that handles remember/forget headers
  • login_redirect_method – you can either pass in cookie, that will use _extract_came_from method to extract cookie came_from from environment or pass in any custom path where %(login)s is replaced with extracted username credentials
  • logout_redirect_method – same as login_redirect_method, only used on sucessful logout (and no string formating)
  • default_redirect_path – if no cookie is found and no HTTP_REFERER is present, this value is used when using cookie method. (string formation is also performed)
  • force_https (boolean) – if True, identification will not happen when url scheme is not https
  • username_field – form key that will be checked for username value [1]
  • password_field – form key that will be checked for password value [1]
  • force_https – only allow https for exchanging data
  • encoding – encoding to use for managing strings
  • fail_redirect_path – if authentications fails, redirect to this path (common usage: ‘/?message=wrong_login’)
Versionadded :


encoding and fail_redirect_path parameters

challenge(environ, status, app_headers, forget_headers)

Called on abort(401). Set up came_from cookie and redirect to login_form_path.

if logout was performed, redirect to came_from.

forget(environ, identity)

on login:

Parse form vars login & password and if successful, return them. Redirect to came_from.

on logout:

Store came_from for challanger to find later and trigger abort(401).
remember(environ, identity)

expires came_from cookie because our authenticator succeeded

repoze.who.plugins.formcookie.make_redirecting_plugin(login_form_path=None, login_handler_path=None, logout_handler_path=None, rememberer_name=None, default_redirect_path='/', login_redirect_method='cookie', logout_redirect_method='cookie', username_field='login', password_field='password', force_https=False, encoding='utf-8', fail_redirect_path=None, **kw)

Function helper for plugin generation from .ini files.

Example configuration:

use = repoze.who.plugins.formcookie:make_redirecting_plugin
login_form_path = /login_form
login_handler_path = /login
logout_handle_path = /logout
rememberer_name = cookie
force_https = true
login_redirect_method = /home/%(login)s/
logout_redirect_method = /
username_field = username
password_field = password

use = repoze.who.plugins.auth_tkt:make_plugin
secret = w00t
cookie_name = imin
[1](1, 2) Credential information is always passed forward to authenticator plugins as login and password.


0.3.0 (15.04.2010)

  • added encoding and fail_redirect_path parameters
  • when login_form_path is not given, display correct message

0.2.3 (05.05.2009)

  • dropped dependency of PasteDeploy

0.2.2 (15.03.2009)

  • added options username_field and password_field

0.2.1 (07.03.2009)

  • fixed bugs in make_redirecting_plugin

0.2 (02.02.2009)

  • implemented custom redirecting path through login_redirect_method and logout_redirect_method
  • added force_https

0.1.2 (23.01.2009)

  • applied a patch to fix misspelled login_form_path in make_redirecting_plugin, thanks TJ!

0.1.1 (08.01.2009)

  • removed error message (login and password parameters are never empty)
  • critical bug fix: headers were not returned correctly

0.1 (06.01.2009)

  • initial release


  • make aplication be able to store info in environ and pass request to underlying application

None at the moment, I’m open to suggestions.

Indices and tables