Only GET/HEAD in authenticated decorator #761

paulocheque opened this Issue Apr 26, 2013 · 2 comments


None yet

3 participants


Why the decorator tornado.web.authenticated(method) only supports GET/HEAD?

if self.request.method in ("GET", "HEAD"):
ajdavis commented Apr 26, 2013

Here's a little background:!searchin/python-tornado/authenticated$20post/python-tornado/57zQgH6CRHM/cacKqVxCJ2EJ

I don't think redirecting an unauthenticated user who was attempting a POST would generally work: The user's browser has begun sending POST data to your Tornado application, but the application finds the user isn't logged in, so it redirects the browser to a login page to collect a username and password. What should happen to the POST data?


@tornado.web.authenticated can be used on handlers that implement POST or other methods, but it will only redirect for GET or HEAD. Other requests will result in an error instead of a redirect because the POST data or original method would be silently lost if we redirected to a login page. This is seldom an issue in practice because XSRF concerns dictate that POST requests must generally be preceded by a GET.

@bdarnell bdarnell closed this Apr 27, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment