[Zope] getting index_html instead of manage_main in some browsers
Rene Pijlman
rpijlman@wanadoo.nl
Mon, 25 Jun 2001 21:46:59 +0200
> The problem is, Zope challenges you when you log into /manage. The
> browser pops up the auth box. You log in, and your browser successfully
> retrieves the frameset. Since the left frame *requires* authentication,
> it challenges the browser which send the credentials. The right frame
> does not require authentication, and in fact, will *not* challenge the
> browser. Zope assumes that the browser will automatically send the
> previously established credentials for the right frame, as all browsers do
> except the two you mention.
> So, the question is, does the spec define this behavior? Are browsers
> required to send authentication information previously established for a
> given realm even when *not* challenged by the server?
The relevant RFC's are:
HTTP/1.1:
http://www.ietf.org/rfc/rfc2616.txt
HTTP Authentication: Basic and Digest Access Authentication:
http://www.ietf.org/rfc/rfc2617.txt
RFC-2617 says in section 2 "Basic Authentication Scheme":
A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
It says MAY, not MUST, not even SHOULD. I could not find any other part of
the standard that suggests otherwise.
So if I understand it correctly, Zope is relying on browser behaviour that
is not required by the standard. That would mean the problem is caused by
Zope, not by some browsers.
Regards,
Rene Pijlman