We have run into subtle authentication problem and wondering if anyone has any suggestions. Part of our site is public, but most is private. Here is a simplified schematic: Root |-Folder1 |-Folder1a |-Folder1b |-Shared Everything below Folder 1 is restricted and *should* prompt for name and password if requested. What we have seen is the following. 1. User requests /Folder1 and is prompted for authorization.User enters and page displays. 2. index_html in Folder1 does a redirect to /Folder1/Folder1a (index_html) 3. They then click on a link on that page to take them to a index_html in Folder1b. The exact URL looks something like this: /Folder1/Folder1b/index_html?method=Search 4. User get's a keyerror on Shared (accessed with a dtml-with) What is so bizarre about this behavior is the fact that if they change the URL to remove the query string (/Folder1/Folder1b/index_html) the page is displayed as expected. Once the page is displayed, if they then click a link (or change the URL [to be]) identical to the link in step 3, the page displays correctly. I found through much experimentation that the issue appears to be with the first request of a page using a query string. It appears that if the page is first requested without a query string, the authentication somehow "sticks" and then any subsequent requests with a query string work for that user (though no authorization is rerequested from the user). It almost appears that in some instances, that the query string somehow derails the authentication dialog between zope and the browser. Another interesting tidbit: -Step 1 after authorization: AUTHORIZED_USER = username -Step 2 AUTHORIZED_USER = username -Step 3 AUTHORIZED_USER = Anonymous User (with query string) [Appears zope thinks we haven't logged in yet] -Remove Query String, AUTHORIZED_USER = username [Note, we didn't reauthenticate] -Add Query String again, AUTHORIZED_USER = username [Hmm, now it works] Security wise, the only thing I have locked down is the "Access contents information" on Folder 1 (and all children), requiring specific roles and disallowing anonymous access. I upgraded to 2.4.1 today, but still have this problem. This is reproducable in various versions of IE, but am using 6.0 on test machine. We are at this point in time using the default HTTP authentication. Fortunately in this instance I was able to fix the problem by changing the link to first request the page without a query string and then subsequent requests seem to always work. But, it would be interesting to know if there is something that I can do so that it will work regardless. Bookmarked URLs with query strings do not work in general unless authentication is done ahead of time, then the bookmark may or may not work. My hunch is that the best way to fix the problem will be to move to a cookie based sessioning tool. It appears to be a problem with the authentication headers being sent to zope. But wondered if anyone has had a similiar problem or has any suggestions. Thanks for your time, -Chris