Jim Harrison wrote at 2004-2-9 18:55 -0500:
... I thought I would authenticate the users by setting up a small protected page template that would get called against the current page of the user when the login link was clicked. The template would force a login and then redirect back to the page the user started from.
When I do that, it does force a login and redirect, but the menus do not change after the redirect. However, the user is logged in--if I try this with a manager password, I can type "manage" against the site url and immediately jump into the management interface without additional login.
Almost surely, you are hit by a special feature of the HTTP 1.x basic authentication (read the specification to learn about the details): HTTP 1.x says that the browser should automatically sent authentication information into the subhierarchy that requested authentication. Browsers following the spec closely will not automatically send authentication information for URLs outside of this subhierarchy. They will however reuse login information when an URL from outside the hierarchy sends an Authentication challenge. This explains what you describe provided your "login" page does not lie in an ancestor folder of your page. Put your "login" page in one of these folders (e.g. the "Root Folder") and see whether the behaviour goes away. -- Dieter