[Zope-PAS] dealing with deleted users
Chris McDonough
chrism at plope.com
Sat May 27 17:24:35 EDT 2006
I imagine it's an accident of implementation.
On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 27 May 2006, at 20:37, Wichert Akkerman wrote:
>
>> I was investigating a plone bug (http://dev.plone.org/plone/ticket/
>> 5355)
>> and it is caused by PAS behaviour. The problems boils down to
>> logic in
>> CookieAuthHelper.extractCredentials: if a cookie is present the
>> credentials are extracted from it and form fields are ignored. This
>> means that if we have a cookie containing credentials which no longer
>> authenticate it becomes impossible to login as a different user since
>> the form data is never seen.
>
> Looking at the equivalent in the CookieCrumbler code (method
> modifyRequest) it seems the cookie crumber does it the other way
> around and will look for form data before looking for the cookie.
> I'd be interested to find out the rationale for weighting cookie
> information higher than form data. Does anyone remember?
>
> jens
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEeMMtRAx5nvEhZLIRAk2jAKC10jUqyQphNPvjehDWmP9bXmhDvACgjvwZ
> vGn0MPGP/Ueu77mQOj+c2C4=
> =k3jP
> -----END PGP SIGNATURE-----
> _______________________________________________
> Zope-PAS mailing list
> Zope-PAS at zope.org
> http://mail.zope.org/mailman/listinfo/zope-pas
>
More information about the Zope-PAS
mailing list