Re: R: [Zope] CookieCrumbler logout problems
Alex Cordero writes: Please stay on the mailing list (readded).
... CookieCrumbler unable to log out ... How can I know what kind of authentication am I using? DTML method logged_out simply conrtrols if the curren user is Anonymous User by the call When you request a logout CookieCrumber expires the authentication cookie and redirects to "logged_out".
When you have been authenticated via the cookie (alone), then you will be "Anonymous User" when "logged_out" is visited. However, when your browser provides basic authentication information, then you are still authenticated by this information and "logged_out" sees that the user name is still not "Anonymous User". Therefore, it tells you that you are still authenticated and not yet logged out.
... If, so, How can I say to CookieCrumbler that I want to use real cookie authentication? Usually (this means in the default setup), CookieCrumber will only use cookie authentication (and then is able to log you out).
However, when you are authenticated by another user folder, e.g. one above that for CookieCrumber, then your browser may have gotten an "Unauthorized" response and has shown you a login dialog. Your browser can (and usually will) send this login information with any request to the Zope site. When it does, CookieCrumber is no longer able to log you out. An "Unauthorized" response is also send to the browser in some exceptional error situations. You get a browser login dialog and when you successfully provide login information, then you are authenticated with HTTP authentication and CookieCrumbler can no longer log you out. This is probably a bug. But it occurs only rarely and is probably not your problem. Some browsers allow you to save login information accross sessions. Such browsers may automatically authenticate you without being asked for it. In these cases, you are authenticated via HTTP authentication and CookieCrumber cannot log you out. Dieter
An "Unauthorized" response is also send to the browser in some exceptional error situations. You get a browser login dialog and when you successfully provide login information, then you are authenticated with HTTP authentication and CookieCrumbler can no longer log you out. This is probably a bug. But it occurs only rarely and is probably not your problem.
This is really what it does! When I log in by the login_form and then I examine the REQUEST object (I do so by a DTML method which recalls REQUEST), AUTHENTICATED_USER is set the same as the cookie name! I really don't know why this happens... I've esperienced thsi win Internet Explorer 5.5 ,5.0 and also Netscape 4.76. Do you think it's a CookieCrumbler bug? Alex Cordero
Alex Cordero writes:
An "Unauthorized" response is also send to the browser in some exceptional error situations. You get a browser login dialog and when you successfully provide login information, then you are authenticated with HTTP authentication and CookieCrumbler can no longer log you out. This is probably a bug. But it occurs only rarely and is probably not your problem.
This is really what it does! When I log in by the login_form and then I examine the REQUEST object (I do so by a DTML method which recalls REQUEST), AUTHENTICATED_USER is set the same as the cookie name!
But, that is as it should be: When you log in, AUTHENTICATED_USER should show that you have logged in, i.e. the name in the cookie! You will not see in the REQUEST object whether or not your browser has sent authentication information (and therefore, CookieCrumber will not be able to log you out). You can see it with e.g. TCPWatch or another TCP logger. Dieter
participants (2)
-
Alex Cordero -
Dieter Maurer