[Zope] Cookies vs. browsers and other issues

Sreeram Ramachandran gro.mareers@sreeram.org
Mon, 26 Feb 2001 23:34:09 +0800


Hi,

I am using LoginManager with Basic Cookie Authentication (using Zope 2.3.1b1). When I successfully login, I expect the browser to receive a cookie, right? Now, the problem is this: Netscape 4.76 on Linux and Links 0.82 on Linux don't pick up the cookie. Whereas, Lynx 2.8.3 on Linux and IE 5.something on Windows 2000 do pick it up.

Has anyone experienced this? On similar/other browsers/platforms? Do you know why this is happening?

I don't suspect there is any browser-specific code in LoginManager or HTTPResponse.py, so the problem can't be with Zope (maybe I'm wrong). Also, I can see the cookie quite clearly when I do a raw telnet to port 80 and submit my login form.

I checked the format of the cookie received (using the telnet) and everything seems fine, like so:
Set-Cookie: cookie_name="cookie_value"; Domain=my.domain; Path=/
(Changing the capitalization of Domain or Path has no effect).

Meanwhile, here are some other observations:

1. I got burnt because of the implicit assumptions about how to render code found within a <dtml-raise> block. Zope assumes that anything that doesn't begin with a "<html>" or "<!doctype" is a fragment and so wraps its error message headers around it. My HTML used to start with "<?xml?>", so for a long time, I couldn't understand why my login-form wasn't working.

2. I am new to Zope, so maybe I don't quite appreciate how this works, but I was worried to read in the Zope Book that acquisition works based on the URL and not just the folder hierarchy. I.e., given a directory structure like this:
../
..|-> gnu/
..|...|-> rms
..|-> osi/
......|-> esr
Zope is quite happy with a URL like: /gnu/osi/esr/rms. Doesn't this have serious implications for security (i.e., one can call arbitrary dtml methods on arbitrary objects)? For example, if you do a "<dtml-var some_method>" carelessly (e.g.: implicitly assuming that some_method will only come from the same folder or one higher up towards the root), then you could be fried if someone puts an incompatible/malicious some_method elsewhere in the document tree, and then uses it in the URL?

And oh, Zope is awesome! Thanks to each and everyone of you (for coding, submitting bugs, documenting, writing great extensions/products, helping newbies (like me!) or even just plain hanging around here on the mailing lists)!!!

Thanks!
Sreeram.

-- 
----------------------------------
Observation is the essence of art.
----------------------------------