[Zope-CMF] cookieless use problems

Kyler Laird Kyler@Lairds.com
Sun, 14 Jul 2002 13:46:21 -0500


On Sun, Jul 14, 2002 at 02:32:08PM -0400, Tres Seaver wrote:

> RFC 2617, section 2, states WRT basic auth:
> 
>    A client SHOULD assume that all paths at or deeper than the depth of
>    the last symbolic element in the path field of the Request-URI also
>    are within the protection space specified by the Basic realm value of
>    the current challenge. A client MAY preemptively send the
>    corresponding Authorization header with requests for resources in
>    that space without receipt of another challenge from the server.
> 
> If what you are asking is that the default skin / actions always
> append a slash to the 'portal_url' when constructing a URL for the
> root of the CMF site, that is fine, and easy;

And that is all that I was suggesting.

> submit it as a patch
> against the relevant files to the collector.

I keep finding more places where it's used.  I suspect that
someone else would do a much more thorough job than I can
right now - and in the future.

Sometimes I think that it should be coded in absolute_url(),
but I'm not ready to open that can of worms.

> What is *not* easy is getting Basic auth to "fire" for the "bare" site
> URL if you also permit anonymous access to the root of the site.  Unless
> you have a "login" link which looks something like
> 'path/to/cmf_site/?force_basic_auth=1',

Ah...so I'm *not* the only one who uses such tricks?

> and then have some traversal
> majyk which looks for the query string, I can't foresee how to
> accomplish your goal. 

That's not my goal.  I don't suggest it for CMF.  (I might
when I'm more comfortable, though.)

> It gets worse if you expect some portions of the
> site to be protected, but not others;  browsers which behave as you
> describe are going to prompt twice *anyway*.

That's not the current behavior.  They just don't send the
authentication data unsolicited (or "unrequired").  If
access is denied, they will immediately (without prompting)
try again with the authentication data.  The behavior only
becomes noticeable when a request does not require
authentication. 

(This behavior is an attempt to make users less likely to be
manipulated in bad ways by authors at multi-author sites.  I
am still not sure how I feel about it.)

Sidenote: long ago I worked at making NCSA HTTPd/Apache
perform "optional" authentication.  It was non-trivial and
the result was ugly and limited.  (It was right around the
time "modules" were introduced that I think I finally made
it work.)  The ease with which Zope handles it has been a
big plus to me.

> BTW, The 'login_form' is useless under Basic Auth, anyhow;  the browser
> won't use those form values to synthesize the 'Authorization' header
> (mis-named, it should be 'Authentication') anyway.

It was useful to me.  Our projects usually have a "login"
link, so I thought I might use login_form to handle the
standard "Welcome!  You're now logged in, Kyler." function.
I usually prefer just loading the same page with a URL that
forces required authorization (similar to what you described
above), but this seemed more straightforward and it seems
like many people feel better having a "login" page.  (Old
paradigms die hard.)

--kyler