Hi, I am using LoginManager with Basic Cookie Authentication (using Zope 2.3.1b1). When I successfully login, I expect the browser to receive a cookie, right? Now, the problem is this: Netscape 4.76 on Linux and Links 0.82 on Linux don't pick up the cookie. Whereas, Lynx 2.8.3 on Linux and IE 5.something on Windows 2000 do pick it up. Has anyone experienced this? On similar/other browsers/platforms? Do you know why this is happening? I don't suspect there is any browser-specific code in LoginManager or HTTPResponse.py, so the problem can't be with Zope (maybe I'm wrong). Also, I can see the cookie quite clearly when I do a raw telnet to port 80 and submit my login form. I checked the format of the cookie received (using the telnet) and everything seems fine, like so: Set-Cookie: cookie_name="cookie_value"; Domain=my.domain; Path=/ (Changing the capitalization of Domain or Path has no effect). Meanwhile, here are some other observations: 1. I got burnt because of the implicit assumptions about how to render code found within a <dtml-raise> block. Zope assumes that anything that doesn't begin with a "<html>" or "<!doctype" is a fragment and so wraps its error message headers around it. My HTML used to start with "<?xml?>", so for a long time, I couldn't understand why my login-form wasn't working. 2. I am new to Zope, so maybe I don't quite appreciate how this works, but I was worried to read in the Zope Book that acquisition works based on the URL and not just the folder hierarchy. I.e., given a directory structure like this: ../ ..|-> gnu/ ..|...|-> rms ..|-> osi/ ......|-> esr Zope is quite happy with a URL like: /gnu/osi/esr/rms. Doesn't this have serious implications for security (i.e., one can call arbitrary dtml methods on arbitrary objects)? For example, if you do a "<dtml-var some_method>" carelessly (e.g.: implicitly assuming that some_method will only come from the same folder or one higher up towards the root), then you could be fried if someone puts an incompatible/malicious some_method elsewhere in the document tree, and then uses it in the URL? And oh, Zope is awesome! Thanks to each and everyone of you (for coding, submitting bugs, documenting, writing great extensions/products, helping newbies (like me!) or even just plain hanging around here on the mailing lists)!!! Thanks! Sreeram. -- ---------------------------------- Observation is the essence of art. ----------------------------------
On Mon, 26 Feb 2001, Sreeram Ramachandran wrote:
I am using LoginManager with Basic Cookie Authentication (using Zope 2.3.1b1). When I successfully login, I expect the browser to receive a cookie, right? Now, the problem is this: Netscape 4.76 on Linux and Links 0.82 on Linux don't pick up the cookie. Whereas, Lynx 2.8.3 on Linux and IE 5.something on Windows 2000 do pick it up.
Has anyone experienced this? On similar/other browsers/platforms? Do you know why this is happening?
Yes, many times. Do your cookie include "domain" part? It may cause the problem. Or even worse - what was the real URL you tried? Due to security considerations browsers tend to drop cookies from 2nd-level domains. Because of this one of our sites had installed forced redirect from http://russ.ru/ to http://www.russ.ru/. I remember the same problem wit Russian free-mail site au.ru. They recommended me to switch to www.au.ru - and all went well. Oleg. ---- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
On Mon, Feb 26, 2001 at 06:45:43PM +0300, Oleg Broytmann wrote:
On Mon, 26 Feb 2001, Sreeram Ramachandran wrote:
I am using LoginManager with Basic Cookie Authentication (using Zope 2.3.1b1). When I successfully login, I expect the browser to receive a cookie, right? Now, the problem is this: Netscape 4.76 on Linux and Links 0.82 on Linux don't pick up the cookie. Whereas, Lynx 2.8.3 on Linux and IE 5.something on Windows 2000 do pick it up.
Has anyone experienced this? On similar/other browsers/platforms? Do you know why this is happening?
Yes, many times. Do your cookie include "domain" part? It may cause the problem. Or even worse - what was the real URL you tried? Due to security considerations browsers tend to drop cookies from 2nd-level domains. Because of this one of our sites had installed forced redirect from http://russ.ru/ to http://www.russ.ru/. I remember the same problem wit Russian free-mail site au.ru. They recommended me to switch to www.au.ru - and all went well.
Oleg. ---- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
Thanks so much, Oleg! That was it! I forced everything to www.my.domain and things work fine, now! -- ---------------------------------- Observation is the essence of art. ----------------------------------
participants (2)
-
Oleg Broytmann -
Sreeram Ramachandran