Message-ID: <416F01F5.4050702@library.ucsf.edu>
Date: Thu, 14 Oct 2004 15:47:17 -0700
From: Gordon Lai <lai@library.ucsf.edu>
User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803)
MIME-Version: 1.0
To: Tres Seaver <tseaver@zope.com>
Subject: Re: [Zope] Re: CookieCrumbler problem
References: <416DD567.2030805@library.ucsf.edu> <416DE4D1.3080407@zope.com>
In-Reply-To: <416DE4D1.3080407@zope.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: zope@zope.org
Precedence: list
Sender: zope-bounces@zope.org
Errors-To: zope-bounces@zope.org

Hi Tres,

Thanks for your reply, but login.html isn't protected. I do get a Not 
Authorized page when I cancel the basic auth dialog popup, though, but I 
assume that shows up because I didn't login to the protected folder. Any 
other suggestions? Thanks for suggesting VerboseSecurity.

Gordon

Tres Seaver wrote:

> Gordon Lai wrote:
>
>> Hi,
>>
>> I'm having a problem with CookieCrumbler 1.24. I'm trying to use it 
>> with Zope 2.7.2, Python 2.3.4, and LDAPUserFolder 2.4beta3. I want CC 
>> to show my login.html when a user accesses a protected folder, but 
>> this doesn't happen; the basic auth dialog still pops up. I enter a 
>> username and password that authenticates correctly with my LDAP 
>> server and then my login.html shows up. On this page I have to enter 
>> a correct username, but then any gibberish in the password field will 
>> allow me to login; this basically means that the dialog box was doing 
>> the real login and this login.html wasn't doing much. I can then 
>> logout by clicking a link that calls a Python Script that calls 
>> logout() in CC (is this the correct way to logout? CC doesn't have 
>> any docs, so I perused its code and found logout()). But now when I 
>> try to access the folder again I get instantly logged out because I 
>> have code at the top of my index.html ZPT that detects if a session 
>> object exists, and if it doesn't it will logout the user. Since I've 
>> logged out, a session object does not exist. Basically, the login 
>> process is being completely bypassed and I'm hitting index.html 
>> directly.
>>
>> The correct login process that I have set up is as follows:
>>
>> 1) CC shows my login.html.
>> 2) The user logs in, which calls index.py.
>> 3) index.py creates a new session and then calls index.html
>>
>> This was working for some time before "something happened" and I am 
>> now seeing the above wrong behavior. What am I doing wrong?
>
>
> It sounds as though 'login.html' is protected;  what happens if you 
> cancel out when the basic auth dialog pops up?  What happens there is 
> that you get a 401 (because the login form is protected), and the 
> cookie crumbler doesn't intercept it (because it knows it is trying to 
> challenge already).  Then, when you supply basic auth credentials, 
> Zope renders the form, but at this point the browser is already 
> including the 'Authenticate:' header, which makes the login POST 
> handler irrelevant.
>
> BTW, I would recommend installing VerboseSecurity, if the traceback 
> doesn't give you enough information:
>
>   http://hathawaymix.org/Software/VerboseSecurity
>
> Tres.

_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )