Webdav and cookie based authentication: exUserFolder compared to cookie crumbler
Hi, I've been setting up my new development enviroment and have had some problems with exUserFolder - in cases where the service has used cookies based authentication. I've mounted my zope-service with davfs and accessed it well, but problems have risen when I have needed to write through webdav - since the authentication has not worked. However when I've used cookie crumbler to provide the cookie based authentication - everything has worked fine. Has anyone else seen and seen this to happen -- and is there something that should / could be done? -huima
+-------[ Heimo Laukkanen ]---------------------- | Hi, | | I've been setting up my new development enviroment and have had some | problems with exUserFolder - in cases where the service has used cookies | based authentication. I've mounted my zope-service with davfs and | accessed it well, but problems have risen when I have needed to write | through webdav - since the authentication has not worked. | | However when I've used cookie crumbler to provide the cookie based | authentication - everything has worked fine. Has anyone else seen and | seen this to happen -- and is there something that should / could be done? DAV doesn't work with cookie auth. Cookie Crumbler only works with Basic Auth folders. XUF used to try to fall back to Basic Auth if you had specified cookie auth, but, I'm not sure if someone has changed the way that worked. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon
Andrew Kenneth Milton wrote:
DAV doesn't work with cookie auth. Cookie Crumbler only works with Basic Auth folders.
XUF used to try to fall back to Basic Auth if you had specified cookie auth, but, I'm not sure if someone has changed the way that worked.
Ok. Thanks Andrew for the fast reply and your work within the great product ,-) Conclusion then is, that it is - atleast for now - better to use cookie crumbler from CMF to provide the cookie-based auth and keep the user folder in http-authentication mode, if you want to have also webdav-access to the service. This atleast works for me now on Zope 2.6 + CMF 1.3, keeping passwords in PostgreSql-database. Cheers, -huima
actually, the "most correct" way would be for the cookie handling in exUserFolder to sniff the request and try to determine if it is a webdav request. i think that's how the CookieCrumbler does it, and that's what i do for the LDAPUserFolder. cookie handling is a horrible mess in general, though. it is extremely hard to "do the right thing" under all circumstances. that's why i personally have taken to telling people "use cookie crumbler" and why there will no longer be cookie support built into the LDAPUserFolder itself once version 2.0 comes out. jens On Sunday, Oct 27, 2002, at 09:35 US/Eastern, Heimo Laukkanen wrote:
Andrew Kenneth Milton wrote:
DAV doesn't work with cookie auth. Cookie Crumbler only works with Basic Auth folders. XUF used to try to fall back to Basic Auth if you had specified cookie auth, but, I'm not sure if someone has changed the way that worked.
Ok. Thanks Andrew for the fast reply and your work within the great product ,-)
Conclusion then is, that it is - atleast for now - better to use cookie crumbler from CMF to provide the cookie-based auth and keep the user folder in http-authentication mode, if you want to have also webdav-access to the service.
This atleast works for me now on Zope 2.6 + CMF 1.3, keeping passwords in PostgreSql-database.
Cheers,
-huima
+-------[ Jens Vagelpohl ]---------------------- | actually, the "most correct" way would be for the cookie handling in | exUserFolder to sniff the request and try to determine if it is a | webdav request. i think that's how the CookieCrumbler does it, and | that's what i do for the LDAPUserFolder. | | cookie handling is a horrible mess in general, though. it is extremely | hard to "do the right thing" under all circumstances. that's why i | personally have taken to telling people "use cookie crumbler" and why | there will no longer be cookie support built into the LDAPUserFolder | itself once version 2.0 comes out. Unfortunately the credentials are easily sniffed out of cookies set by CookieCrumbler (and XUF in non-secure cookie mode). If FTP works with XUF, I don't see why DAV shouldn't work either. I know FTP *used to* work. Perhaps the folks responsible for the validate overhaul would like to comment about now. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon
Unfortunately the credentials are easily sniffed out of cookies set by CookieCrumbler (and XUF in non-secure cookie mode).
just more reasons to not use cookies for authentication, period.
If FTP works with XUF, I don't see why DAV shouldn't work either. I know FTP *used to* work. Perhaps the folks responsible for the validate overhaul would like to comment about now.
what validate overhaul? jens
From: "Jens Vagelpohl" <jens@zope.com>
Unfortunately the credentials are easily sniffed out of cookies set by CookieCrumbler (and XUF in non-secure cookie mode).
just more reasons to not use cookies for authentication, period.
What would you use instead? I have yet to find any alternatives to using cookies as part of the sessioning mechanism. Or are you referring to storing username and passwords in the cookie? If so ignore the question, because I think it is bad too :) regards, /dario
participants (4)
-
Andrew Kenneth Milton -
Dario Lopez-K�sten -
Heimo Laukkanen -
Jens Vagelpohl