I see in the code for CookieCrumbler.modifyRequest() that it disables cookies if the HTTP method is not GET, PUT, or POST. Specifically this means that it won't accepct cookie auth for HEAD requests. This is causing problems on my site for users with some browsers. Apparently some browsers (recent Mozillas, maybe others) send a HEAD request when the user right-clicks a link and selects "Save link target as" (presumably to gather information before starting the download). So any links that are restricted to authenticated users have the strange behavior that users can left-click and view the file directly, but if they right-click instead they get the Zope Basic auth dialog. Not at all the desired behavior :) Is there a particular reason why HEAD was omitted from the list in modifyRequest()? Could it be added in? Thanks -- Brent ------------------------------------------------------------------------- "The programmer, like the poet, works only slightly removed from pure thought-stuff. He builds his castles in the air, from air, creating by exertion of the imagination. Few media of creation are so flexible, so easy to polish and rework, so readily capable of realizing grand conceptual structures." -- Frederick Brooks, Jr., The Mythical Man Month