[SNIP]
I would GREATLY appreciate an explanation of where the authorization information is coming from. I don't see the currently logged in user in my CGI environment, including cookies. How does any server-side program get the user authorization information from the browser after the user has logged in and gone to a different frame or window? --
I'm just talking about basic-auth here. The browser just resends (or should at least) the credentials in the request header (BASE64 encoded) for every request to the same server. Perhaps - I'm not sure - the browser respects URIs, i.e credentials which were asked at http://hostname/secure_area/ would not be sent to http://hostname/public_area/ but to http://hostname/secure_area/subfolder/ But I'm not sure. A nice way to see the dialog between browser and server is using Shanes nice tcpwatch, located at http://www.zope.org/Members/hathawsh/tcpwatch cheers, oliver