session auth in python

Question

Using session from requests module in python, it seems that the session sends authorization only with first request, I can't understand why this happened.

import requests
session = requests.Session()
session.auth = (u'user', 'test')
session.verify = False
response = session.get(url='https://my_url/rest/api/1.0/users')

If I look for this response request headers I see:

{'Authorization': 'Basic auth_data', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': 'python-requests/2.12.3'}

but if I send next request using the same or not url:

response = session.get(url='https://my_url/rest/api/1.0/users')

I can see that there is no auth header in request anymore:

print response.request.headers
{'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'User-Agent': 'python-requests/2.12.3'}

And I'm getting 401 response because of it.

Why is it so? Shouldn't session send auth with every request made using it? How can I send auth data with every request using session?

Answer 1

What I see when I run that exact code in your comment is that the Authorization header is missing in the first print, yet it is present in the second. This seems to be the opposite of the problem that you report.

This is explained by the fact that the first request is redirected by a 301 response, and the auth header is not propagated in the follow up request to the redirected location. You can see that the auth header was sent in the initial request by looking in response.history[0].request.headers.

The second request is not redirected because the session has kept the connection to the host open (due the the Connection: keep-alive header), so the auth headers appear when you print response.request.headers.

I doubt that you are actually using https://test.com, but probably a similar thing is happening with the server that you are using.

For testing I recommend using the very handy public test HTTP server https://httpbin.org/headers. This will return the headers received by the server in the response body. You can test redirected requests with one of the redirect URLs.