Gordon Lai wrote:
Hi,
I'm having a problem with CookieCrumbler 1.24. I'm trying to use it with Zope 2.7.2, Python 2.3.4, and LDAPUserFolder 2.4beta3. I want CC to show my login.html when a user accesses a protected folder, but this doesn't happen; the basic auth dialog still pops up. I enter a username and password that authenticates correctly with my LDAP server and then my login.html shows up. On this page I have to enter a correct username, but then any gibberish in the password field will allow me to login; this basically means that the dialog box was doing the real login and this login.html wasn't doing much. I can then logout by clicking a link that calls a Python Script that calls logout() in CC (is this the correct way to logout? CC doesn't have any docs, so I perused its code and found logout()). But now when I try to access the folder again I get instantly logged out because I have code at the top of my index.html ZPT that detects if a session object exists, and if it doesn't it will logout the user. Since I've logged out, a session object does not exist. Basically, the login process is being completely bypassed and I'm hitting index.html directly.
The correct login process that I have set up is as follows:
1) CC shows my login.html. 2) The user logs in, which calls index.py. 3) index.py creates a new session and then calls index.html
This was working for some time before "something happened" and I am now seeing the above wrong behavior. What am I doing wrong?
It sounds as though 'login.html' is protected; what happens if you cancel out when the basic auth dialog pops up? What happens there is that you get a 401 (because the login form is protected), and the cookie crumbler doesn't intercept it (because it knows it is trying to challenge already). Then, when you supply basic auth credentials, Zope renders the form, but at this point the browser is already including the 'Authenticate:' header, which makes the login POST handler irrelevant. BTW, I would recommend installing VerboseSecurity, if the traceback doesn't give you enough information: http://hathawaymix.org/Software/VerboseSecurity Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com