+-------[ Jens Vagelpohl ]---------------------- | actually, the "most correct" way would be for the cookie handling in | exUserFolder to sniff the request and try to determine if it is a | webdav request. i think that's how the CookieCrumbler does it, and | that's what i do for the LDAPUserFolder. | | cookie handling is a horrible mess in general, though. it is extremely | hard to "do the right thing" under all circumstances. that's why i | personally have taken to telling people "use cookie crumbler" and why | there will no longer be cookie support built into the LDAPUserFolder | itself once version 2.0 comes out. Unfortunately the credentials are easily sniffed out of cookies set by CookieCrumbler (and XUF in non-secure cookie mode). If FTP works with XUF, I don't see why DAV shouldn't work either. I know FTP *used to* work. Perhaps the folks responsible for the validate overhaul would like to comment about now. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon