AUTHENTICATED_USER reverts back to Anonymous User
Hi there, This is what happens 1) User enters site (REQUEST.AUTHENTICATED_USER == "Anonymous User") 2) User logs in when accesing a "secure" page. (REQUEST.AUTHENTICATED_USER == "myUser") 3) User goes to page that is available for Anonymous Users but which is rendered differently for logged in users. Page must now render as if user is logged in, but does not because REQUEST.AUTHENTICATED_USER == "Anonymous User" again?? After doing some reading it seems as if this is a problem with the way HTML authentication works (Zope does not receive a browser authentication challenge or something like that). Is there a way around this other than using cookies or url mangling? Thanks Etienne
what version of zope are you running? some versions had a "shortcut" in the security mechanism that, while speeding things up a little, produces the symptoms you see. AFAIK this has been fixed a little while ago. 2.4.3 should not have this behavior anyore. jens On Friday, November 30, 2001, at 08:33 , Etienne Labuschagne wrote:
Hi there, This is what happens 1) User enters site (REQUEST.AUTHENTICATED_USER == "Anonymous User") 2) User logs in when accesing a "secure" page. (REQUEST.AUTHENTICATED_USER == "myUser") 3) User goes to page that is available for Anonymous Users but which is rendered differently for logged in users. Page must now render as if user is logged in, but does not because REQUEST.AUTHENTICATED_USER == "Anonymous User" again?? After doing some reading it seems as if this is a problem with the way HTML authentication works (Zope does not receive a browser authentication challenge or something like that). Is there a way around this other than using cookies or url mangling? Thanks Etienne
On Fri, Nov 30, 2001 at 03:33:39PM +0200, Etienne Labuschagne wrote:
1) User enters site (REQUEST.AUTHENTICATED_USER == "Anonymous User") 2) User logs in when accesing a "secure" page. (REQUEST.AUTHENTICATED_USER == "myUser") 3) User goes to page that is available for Anonymous Users but which is rendered differently for logged in users. Page must now render as if user is logged in, but does not because REQUEST.AUTHENTICATED_USER == "Anonymous User" again??
After doing some reading it seems as if this is a problem with the way HTML authentication works (Zope does not receive a browser authentication challenge or something like that). Is there a way around this other than using cookies or url mangling?
There is no. HTTP Basic Authentication is too basic to be ueable. :( Oleg. -- Oleg Broytmann http://phd.pp.ru/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
I think this behavior is browser dependent. Some browsers (e.g., OmniWeb? others?) only send AUTH headers if a non-authenticated attempt returns AUTH REQUIRED. Others (e.g., Netscape, IE, Mozilla?...) send AUTH headers any time after the user is asked to authenticate, and the URL visited has the same domain. I think Oleg is right though.. I don't believe the spec requires AUTH headers to be sent unless they are required and this produces exactly the behavior you've seen. It also makes the Zope management interface useless (if you've ever tried to use it with one of these browsers!) good luck! -steve On Friday, November 30, 2001, at 09:12 AM, Oleg Broytmann wrote:
On Fri, Nov 30, 2001 at 03:33:39PM +0200, Etienne Labuschagne wrote:
1) User enters site (REQUEST.AUTHENTICATED_USER == "Anonymous User") 2) User logs in when accesing a "secure" page. (REQUEST.AUTHENTICATED_USER == "myUser") 3) User goes to page that is available for Anonymous Users but which is rendered differently for logged in users. Page must now render as if user is logged in, but does not because REQUEST.AUTHENTICATED_USER == "Anonymous User" again??
After doing some reading it seems as if this is a problem with the way HTML authentication works (Zope does not receive a browser authentication challenge or something like that). Is there a way around this other than using cookies or url mangling?
There is no. HTTP Basic Authentication is too basic to be ueable. :(
Oleg. -- Oleg Broytmann http://phd.pp.ru/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (4)
-
Etienne Labuschagne -
Jens Vagelpohl -
Oleg Broytmann -
Steve Spicklemire