Roland Reumerman writes:
1) When I set a cookie with the path set to the root <dtml-call "RESPONSE.setCookie('account',AUTHENTICATED_USER,path='/')"> Be careful with "cookies"! The value of a cookie it quite severely restricted (must not contain many characters; you read the cookie specification?). In your case, the value is not a string at all but a Zope object. "RESPONSE.setCookie" will probably convert the object to a string for you. This will give you "AUTHENTICATED_USER.getUsername()". However, I would feel better, if this would be in your "setCookie" call.
Note, that probably Zope user names may contain characters not allowed in Cookie values.
I'm still not able to click through to another hyperlink once I'm logged in, i.e., I've used www.ddi.nl/support to go the password protected Zope site, logged in as a customer, and from there I can choose other parts of the site (below .../support/). However, www.ddi.nl is an alias of www.datadistilleries.com (the actual name): as a result it asks me for the password again. I thought setting the path to '/' would convince Zope I'm authorized, but apparently it's not the case. The path is a "local" path on your server. Setting "path='/'" tells the browser to add the cookie to any request going to your server. "path='/XXXX'" would tell the browser to send it only for requests with paths beginning with "/XXXX". You cannot control with "path" to what server the cookie is sent. There is the "domain" specification that gives you some control over the servers that get the cookie. I doubt, however, that this mechanism will allow you to send cookies defined by "www.ddi.nl" also to "www.datadistilleries.com".
2) This might be related to 1. I've created a logout link on the ..../support/index_html page, which looks as follows: <dtml-call "RESPONSE.expireCookie('account',path='/')"> <dtml-call "RESPONSE.redirect('http://www.datadistilleries.com/support.html?section=m6&envelope=6')"> However, once I've been redirected I can still access the password protected ..../support/ site without Zope asking me for a login name. There must be some magic, you did not yet tell us about.
Usually, setting a cookie has nothing to do with password protection or authentication. There must be something like a "login manager" that ties Zope's security subsystem, login/logout and cookies together. Usually, this "login manager" would do the cookie handling transparently. That you are concerned with the cookie seems to indicate that you implement your own "login manager"? The built in Zope authentication does not use cookies at all but "basic authentication" as defined by HTTP. Dieter