[Zope-dev] logout and IE6 problems

[Aseem Mohanty]

Hi All,

Pardon the cross post, since I dont know where exactly my problems lie...

I am running Zope 2.5.0 (binary release, python 2.1, win32-x86), python 
2.1.2, win32 on a Win2k machine with a MySQL server. I just wrote my 
first UserFolder based on the mysqlUserFolder product, but with some 
customized stuff to suit my needs. I basically did not use 
mysqlUserFolder's session and cookie management and instead, am using 
ZSession for session management.

Finally after several days work I have everything running, barring two 
problems, one doesnt matter much, the other is a gift of the evil empire 
which I havent figured out as yet.

The first problem: For logout purposes I used the function that handles 
the logout in ZMI and call it from a form; the function is as follows:

    def user_logout (Self, REQUEST,RESPONSE):
            """ Terminates user session """
            user = Self.check_valid_mysql_user (REQUEST)
            Self.__terminate_session(REQUEST)
            realm=RESPONSE.realm
            RESPONSE.expireCookie('__ac',path='/')
            RESPONSE.expireCookie('_ZSession',path='/')
            RESPONSE.setStatus(401)
            RESPONSE.setHeader('WWW-Authenticate', 'basic realm="%s"' %
    realm, 1)
            RESPONSE.setBody("""<html>
                <meta http-equiv="refresh" content="0;
    URL=http://xxxx:8080/test_folder/logged_out">
                <head><title>Logout</title></head>
                <body><p>You have been logged out.</p>
                </body></html>""")
            return

It basically does the job beutifully and I have no problems. What I 
would like to do however is to be able log back in when prompted for a 
login and password as a result of this call. I tested the ZMI interface 
and it does the same too : once you log-out you have to cancel the 
prompt box and then try and access a protected resource to get logged 
back in. I tested the control flow and as a matter of fact when I enter 
the right username/password combo it goes through 'validate' and 
authenticates it all right but just doesn't accept it and sends another 
401. Any ideas as to hwo to get around that would be great....!!

The second problem: All of the above works nicely with all versions of 
Netscape. On IE versions 5.01 and above however, it behaves 
exceptionally badly. In that I can login and a nice little session 
variable is created, and the cookies are set up, and when I log out, the 
sessions are cleared and cookies thrown out and I get prompted to log in 
which if I cancel, I get booted to the logged out page. All nice and clean.

However if I press the back button or type in the URL of a protected 
resource it sends the authentication information back and I am not 
prompted to log back in. On looking at the session and cookie info, I 
found that a new one had been created with the same auth information.

"It just ignored the HTTP 401 !!!"

Now I dont know if that is a bug in IE ( I am inclined to believe it 
is!! ), but I have tested my package pretty exhaustively and it works 
without fail in all NS and upto IE 5.0. If anybody has encountered the 
problem before and has figured out how to deal with it 'without' closing 
all IE windows, I would be immensely grateful if s/he could pass on the 
information.

Thanks for you collective patience.
Aseem


==================================================================
 Aseem Mohanty   	
==================================================================								  	
 "I saw `cout' being shifted "Hello world" times to the left and  
  stopped right there!!"                        -- Steve Gonedes  
==================================================================