id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 25029,"When external authentication via REMOTE_USER is only configured on /admin/login/, the authentication does not persist",Jan Pazdziora,nobody,"The ticket #17869 made sure that if the REMOTE_USER header is not present, user is logged out in Django as well. Ticket #23066 moved the logic to different method but the semantic stayed the same. However, for certain external authentication mechanisms, it makes sense that the frontend server (Apache) is configured to only authenticate single URL, like /admin/login/. For example with Kerberos, we do not want the negotiate to happen upon every request -- we want Django to accept the external authentication, create the session, and then use that session until the user explicitly log out. I assume changing the current behaviour of RemoteUserMiddleware is not acceptable so I'm proposing new middleware, OptionalRemoteUserMiddleware, to allow the REMOTE_USER to be only present once.",New feature,closed,contrib.auth,dev,Normal,fixed,,Jan Pazdziora,Accepted,1,0,0,0,0,0