[Zope-dev] CookieCrumbler and WebDAV
Casey Duncan
casey at zope.com
Thu Nov 6 14:08:36 EST 2003
On Thu, 06 Nov 2003 14:38:03 +0100
Lennart Regebro <regebro at nuxeo.com> wrote:
> CookieCrumbler doesn't seem to allow cookie authenticifation over
> WebDAV. It stops authentication if the request is not PUT, GET or POST
> and also it stops anything over the webdav source port.
>
> Anybody knows WHY?
CookieCrumbler is expressly designed for interactive login with a human through a web browser. It steps out of the way for WebDAV because it is not appropriate to subvert the normal HTTP authentication mechanism in that case. WebDAV clients cannot display the HTML login form that CookieCrumber returns. Actually in some cases (like MS Office) they can display the form and they mistakenly think that is the document the user requested 8^(
> I took this code for my Cookie Identification plugin for
> PLuggableUserFolder, so it does the same, but we now have a client whos
> WebDAV client seems to try to use cookies, adn that fails of course.
It might be reasonable not to bail so early, however. Maybe it would be better to bail only if there wasn't a proper authentication cookie already. Instead it should try to use it to authenticate.
-Casey
More information about the Zope-Dev
mailing list