sam wrote:
Besides the AUTHORIZED_USER field in the http header
AUTHENTICATED_USER is an object created after a client authenticates, it is not an http header nor is it derived from the Authentication header. The Authentication header contains a user id and base64 encoded password that is used to authenticate the client.
what else does zope use to identify an http packet from a browser ?.
I assume by 'packet' you mean request. HTTP is stream based.
I am just wondering can I not masquerade as a user by setting the http header using httplib or some such utility ?.
No. You can authenticate yourself with such a client, but you must still have a valid password. You cannot just insert any old user id into the Authentication header and expect Zope to believe you. That wouldn't exactly be very good security. -Michel