Exactly. And in fact I've had to make special "arrangements" (read: kludge) to support Basic Auth in my Zope application. My app runs in anonymous mode, and I had the login page somewhere in the directory hierarchy. Well, that was fine, except that Mozilla won't send the credentials for any page ABOVE the login page in the hierarchy (unless it is specifically marked as needing authentication). As a result, I would lose any personalized content for pages higher in the hierarchy. I had to put the login page at the top of the hierarchy and redirect to where I was going in the first place. Regards, -scott Rene Pijlman wrote:
The relevant RFC's are:
HTTP/1.1: http://www.ietf.org/rfc/rfc2616.txt
HTTP Authentication: Basic and Digest Access Authentication: http://www.ietf.org/rfc/rfc2617.txt
RFC-2617 says in section 2 "Basic Authentication Scheme":
A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server.
It says MAY, not MUST, not even SHOULD. I could not find any other part of the standard that suggests otherwise.
So if I understand it correctly, Zope is relying on browser behaviour that is not required by the standard. That would mean the problem is caused by Zope, not by some browsers.