Terry, I am having problems with IE and cookies as well. They seem to set fine, but I could not expire them. I then added path='/Some_Directory' and that seemed to cure the problem. Even though with IE, the cookies still seem to be there, it's just after they shut down the browser that they don't seem to register. I am using session cookies for authentication and a bookmarked page will still render until the browser is shut down on IE. From what I can tell, Moz, Netscape, Galeon, and Konqueror all expire the cookies properly, and will redirect to the login if a bookmark is used. If you turn up anything else, please let me know. Michael On Wednesday 31 July 2002 03:01 am, Terry Hancock wrote:
Hi all,
I'm running into a problem with CookieUserFolder which will probably apply to cookies in general, in which Internet Explorer and Konquerer are apparently having problems, while Netscape and Mozilla don't.
This rings a bell about a difference in the handling of cookies. I remember a recommendation that cookie-based login be done from a top-level folder to avoid problems with IE, but now I can't find it, despite quite a bit of searching -- I'm not using the right keywords or something. Does anyone remember where I might find this information?
I did find this note:
(Date: Tue, 24 Apr 2001 15:38:36 -0400)
Anyways, the problem occurs because Zope does not set the "PATH=" attribute in the cookies it sends and hence simply relies on the client to default it. Our cookiejar correctly follows the procedure outlined under RFC 2109 and the older netscape cookie specification and defaults the path to the path of the URL from which the cookie was obtained. Unfortunately the people who wrote the specification for some reason, probably broken implementation or an over-sight, chose not to follow their own specs and simply allowed cookies with a missing "PATH=" attribute to be treated as if "PATH" was set to the top level directory ("/"). IE also does the same thing ; probably for compatability reasons. And now so do we.
( http://bugs.kde.org/db/23/23794.html )
Is this still true? I'm not sure whether this is related or not, though. What are the consequences to a cookie-based authentication from this?
Thanks for any ideas, Terry