Hi, I trying to develop a LoginMethod with the LoginManager product, which does not use the HTTP-authentication at all. But stores the user-information in a session, I am using CoreSessionTracking 0.9. If I call the loginForm directly, the user can login and can work in his session. He can logout and login again, everthing seams to work as exspected. the structure is like this: acl_users (default) AppFolder (not protected) acl_users (LoginManager) head foot index_html: <dtml-var head> <dtml-var content> <dtml-var foot> testFolder (protected) content When I now - as anonymous - call AppFolder/testFolder/content directly, which is not accessible to anonymous, the LoginManager-loginform pops up. But when I access AppFolder/testFolder, the default http-authorisation box pops up. When I test this with ZDebug, I get the information, that Zope is trying to publish index_html, and that user Anonymous is not allowed to access content. I debugged this, with the python-debugger and found, that only for the index_html, it is calling the validate-function of the LoginManager-acl_users. There the response.unauthorized is set to the correct loginForm. But further on the validate-functions of User.py are called. I posted this problem to the zpatterns-list, and got the following answer: Begin citation ------------------- Date: Tue, 6 Nov 2001 15:12:27 -0800 From: John Eikenberry <jae-zpat@kavi.com> To: zpatterns <zpatterns@eby-sarna.com> Subject: Re: [ZPatterns] still struggeling with a sessionbased LoginMethod I ran into the same problem. Turns out that Zope has 2 security mechanisms. The first checks the permissions on the published objects. The second is used when doing things like parsing the dtml. There is no way around it besides making sure that every folder that restricts access has an index_html in it. The index_html is looked for at publishing time and will trigger the loginForm. We had to go back to basic auth as we had just finished developing a whole publishing setup that was built around the idea of having 1 index_html at the top level. :P End citation ------------------- Can someone with the real Zope-Zen help ? Mit freundlichen Grüßen Joachim Schmitz AixtraWare, Ing. Büro für Internetanwendungen Hüsgenstr. 33a, D-52457 Aldenhoven Telefon: +49-2464-8851, FAX: +49-2464-905163