On Tuesday, September 4, 2001, at 09:15 PM, Richard Barrett wrote:
I'm not familiar with OmniWeb but the relevant RFC2617 says:
"A client SHOULD assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge. A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server."
My note: the client "MAY preemptively ...", not MUST.
[...]
Maybe it is time to patch Zope so that it is RFC standards conformant ??
The only way I can see of doing this would be to make cookie based authentication the default, or to write a new HTTP RFC and get it accepted by all the browser maintainers out there. Note that the problem not only occurs in the management interface, but anywhere on your site that a page renders differently depending on if it is viewed by an Anonymous client or an authenticated client. It will probably only affect fringe dwellers (like myself - I will be buying Omniweb if this behaviour is changed) unless Microsoft decide to change IE's behaviour. The CoreSessionTracking product, when integrated into Zope core, might also provide an alternative if it could maintain session based on URL instead of cookies (can it do this now?). -- Stuart Bishop <zen@shangri-la.dropbear.id.au>