The problem is the way HTTP Auth was designed. According to the HTTP specification, the browser only needs to send credentials after having received a 401 (Unauthorized) HTTP response code from the server, and only for that one request. The idea is that HTTP is stateless, so each and every request the browser makes would be met with a 401 response, and then the browser would send the credentials in a second request, and finally the server would validate the credentials and respond with the data. Now this is rather slow (2 requests for every page), so most browsers have optimized their implementation by automatically sending credentials for any URL below a URL the server required authentication for, on the first request. What this means is you can sort of work around you problem by having people log into your site in the root. A login method in the root of your site will work for this. The other solution is to use cookie based authentication. (I think there are several products on zope.org that provide this functionality.) -Randy
-----Original Message----- From: Richard Ettema [mailto:richard.ettema@yoursolutions.co.uk] Sent: Saturday, April 07, 2001 5:05 AM To: zope@zope.org Subject: [Zope] Problem with checking roles an authenticated user has
Hi,
I have a site which includes a members area. When a member logs in, extra features are made available on all pages compared to a non-member. The problem is that sometimes the authenticated_user test I use does not come back true once someone has logged in. This problem does not occur all the time or with any particular page. It is being very unpredictable! This is the dtml-if (placed in the standard_html_header) I use to check...
<dtml-if "AUTHENTICATED_USER.has_role('a_member') or AUTHENTICATED_USER.has_role('Manager')">
Any ideas what my problem could be?
Thanks for any ideas
Richard
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )