[Zope-dev] Cookie Crumbler ignores HTTP HEAD?

Brent M Hendricks brentmh@ece.rice.edu
Tue, 22 Apr 2003 21:30:31 -0500


I see in the code for CookieCrumbler.modifyRequest() that it disables 
cookies if the HTTP method is not GET, PUT, or POST.  Specifically this 
means that it won't accepct cookie auth for HEAD requests.  This is 
causing problems on my site for users with some browsers.

Apparently some browsers (recent Mozillas, maybe others) send a HEAD 
request when the user right-clicks a link and selects "Save link target 
as" (presumably to gather information before starting the download).  So 
any links that are restricted to authenticated users have the strange 
behavior that users can left-click and view the file directly, but if 
they right-click instead they get the Zope Basic auth dialog.  Not at 
all the desired behavior :)

Is there a particular reason why HEAD was omitted from the list in 
modifyRequest()?  Could it be added in?

Thanks
-- Brent

-------------------------------------------------------------------------

"The programmer, like the poet, works only slightly removed from pure
  thought-stuff.  He builds his castles in the air, from air, creating
  by exertion of the imagination.  Few media of creation are so
  flexible, so easy to polish and rework, so readily capable of
  realizing grand conceptual structures."
                         -- Frederick Brooks, Jr., The Mythical Man Month