At 15:33 30/11/2001 +0200, Etienne Labuschagne <ELabuschagne@gims.com> wrote:
Hi there,
This is what happens
1) User enters site (REQUEST.AUTHENTICATED_USER == "Anonymous User") 2) User logs in when accesing a "secure" page. (REQUEST.AUTHENTICATED_USER == "myUser") 3) User goes to page that is available for Anonymous Users but which is rendered differently for logged in users. Page must now render as if user is logged in, but does not because REQUEST.AUTHENTICATED_USER == "Anonymous User" again??
After doing some reading it seems as if this is a problem with the way HTML authentication works (Zope does not receive a browser authentication challenge or something like that). Is there a way around this other than using cookies or url mangling?
Thanks Etienne
You are correct in concluding that you are observing the consequences of how HTTP's Basic Authentication mechanism is supposed to work. The relevant RFC2617 says: "A client SHOULD assume that all paths at or deeper than the depth of the last symbolic element in the path field of the Request-URI also are within the protection space specified by the Basic realm value of the current challenge. A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server." Howover, browsers are not obliged to (and some popular browsers such as IE5 do not) volunteer authentication credentials but re-present the request with the credentials if the server issues an HTTP 401 response challenge for authentication. When your user makes a request with a URL outside the sub-tree protected by a previous authentication challenge the browser, quite rightly, does not submit the credentials for an unrelated URL. This decision is fully justified given that Zope doesn't then challenge for credentials if they aren't supplied. Using cookies may be your best solution as you can challenge for the cookie at one level in your sites URL hierarchy but stipulate the 'path' attribute of the cookie so that it is returned for accesses from any point in URL hierarchy. I'm not a user myself but presumably the CookieCrumbler Product may be of use here.