Roland Reumerman writes:
1) When I set a cookie with the path set to the root <dtml-call "RESPONSE.setCookie('account',AUTHENTICATED_USER,path='/')"> Be careful with "cookies"! The value of a cookie it quite severely restricted (must not contain many characters; you read the cookie specification?). In your case, the value is not a string at all but a Zope object. "RESPONSE.setCookie" will probably convert the object to a string for you. This will give you "AUTHENTICATED_USER.getUsername()". However, I would feel better, if this would be in your "setCookie" call.
Note, that probably Zope user names may contain characters not allowed in Cookie values.
I'm still not able to click through to another hyperlink once I'm logged in, i.e., I've used www.ddi.nl/support to go the password protected Zope site, logged in as a customer, and from there I can choose other parts of the site (below .../support/). However, www.ddi.nl is an alias of www.datadistilleries.com (the actual name): as a result it asks me for the password again. I thought setting the path to '/' would convince Zope I'm authorized, but apparently it's not the case. The path is a "local" path on your server. Setting "path='/'" tells the browser to add the cookie to any request going to your server. "path='/XXXX'" would tell the browser to send it only for requests with paths beginning with "/XXXX". You cannot control with "path" to what server the cookie is sent. There is the "domain" specification that gives you some control over the servers that get the cookie. I doubt, however, that this mechanism will allow you to send cookies defined by "www.ddi.nl" also to "www.datadistilleries.com".
2) This might be related to 1. I've created a logout link on the ..../support/index_html page, which looks as follows: <dtml-call "RESPONSE.expireCookie('account',path='/')"> <dtml-call "RESPONSE.redirect('http://www.datadistilleries.com/support.html?section=m6&envelope=6')"> However, once I've been redirected I can still access the password protected ..../support/ site without Zope asking me for a login name. There must be some magic, you did not yet tell us about.
Usually, setting a cookie has nothing to do with password protection or authentication. There must be something like a "login manager" that ties Zope's security subsystem, login/logout and cookies together. Usually, this "login manager" would do the cookie handling transparently. That you are concerned with the cookie seems to indicate that you implement your own "login manager"? The built in Zope authentication does not use cookies at all but "basic authentication" as defined by HTTP. Dieter
Dieter Maurer wrote:
Note, that probably Zope user names may contain characters not allowed in Cookie values.
I wonder how hard it would be to implement the following: <dtml-var something cookie_quote> Quote all characters not allowed in a cookie <dtml-var somethinh id_quote> Quote all characters not allowed in a Zope 2.2 id (this one could be really handy ;-) cheers, Chris
<dtml-var something cookie_quote> Quote all characters not allowed in a cookie
wouldn't <dtml-var something url_quote> do the job? That reminds me, it's silly that there's not <dtml-something url_unquote>, so I patched my zope to provide it. I was wondering if there's a mechanism for getting this kind of simple tweak into the source tree? seb
Seb Bacon wrote:
<dtml-var something cookie_quote> Quote all characters not allowed in a cookie
wouldn't <dtml-var something url_quote> do the job?
Dunno... Dieter?
That reminds me, it's silly that there's not <dtml-something url_unquote>, so I patched my zope to provide it. I was wondering if there's a mechanism for getting this kind of simple tweak into the source tree?
Yup, the collecor: http://classic.zope.org:8080/Collector/ Submit it as a 'Feature Request w/patch' cheers, Chris
Chris Withers writes:
Seb Bacon wrote:
<dtml-var something cookie_quote> Quote all characters not allowed in a cookie
wouldn't <dtml-var something url_quote> do the job?
Dunno... Dieter? I reread the cookie spec:
in cookie values forbidden are: semi-colon, comma and white space These are not the characters handled by "url_quote".
That reminds me, it's silly that there's not <dtml-something url_unquote>, so I patched my zope to provide it....
You, usually, will not need an "url_unquote". You use "url_quote" when you construct part of an URL. This URL will already have been decoded when you get it back in Zope (i.e. the unquote is done automatically for you). Dieter
Chris Withers writes:
Dieter Maurer wrote:
Note, that probably Zope user names may contain characters not allowed in Cookie values.
I wonder how hard it would be to implement the following:
<dtml-var something cookie_quote> Quote all characters not allowed in a cookie It would be easy. The "unquote" would be trickier, because it can not rely on the fact, that the cookie value was quoted.
Otherwise, one could implement quoting/unquoting transparently (the best solution from a user point of view).
<dtml-var somethinh id_quote> Quote all characters not allowed in a Zope 2.2 id (this one could be really handy ;-) Would this really help you?
Where would you use this "id_quote"? The only useful place might be the action of an object creation or renaming. However, I am not sure, that I would prefer to get a strangely encoded id rather than an exception that tells me some characters are not allowed in Id's. Dieter
Dieter Maurer wrote:
Where would you use this "id_quote"? The only useful place might be the action of an object creation or renaming.
Exactly...
However, I am not sure, that I would prefer to get a strangely encoded id rather than an exception that tells me some characters are not allowed in Id's.
But if you're automatically creating ids from text people have typed in (and they'll never need to know the id's) it seems nicer to me for the id to be automatically mangled to what it needs to be ratehr than throwing a confusign error (which doesn't actually tell you which character(s) are not allowed, IIRC) cheers, Chris
participants (3)
-
Chris Withers -
Dieter Maurer -
Seb Bacon