[Zope] getting index_html instead of manage_main in some browsers

Scott Anderson scott.d.anderson@home.com
Mon, 25 Jun 2001 15:54:01 -0400


Exactly. And in fact I've had to make special "arrangements" (read:
kludge) to support Basic Auth in my Zope application. My app runs in
anonymous mode, and I had the login page somewhere in the directory
hierarchy. Well, that was fine, except that Mozilla won't send the
credentials for any page ABOVE the login page in the hierarchy (unless
it is specifically marked as needing authentication). As a result, I
would lose any personalized content for pages higher in the hierarchy. I
had to put the login page at the top of the hierarchy and redirect to
where I was going in the first place.

Regards,
-scott

Rene Pijlman wrote:
> 
> The relevant RFC's are:
> 
> HTTP/1.1:
> http://www.ietf.org/rfc/rfc2616.txt
> 
> HTTP Authentication: Basic and Digest Access Authentication:
> http://www.ietf.org/rfc/rfc2617.txt
> 
> RFC-2617 says in section 2 "Basic Authentication Scheme":
> 
>    A client MAY preemptively send the
>    corresponding Authorization header with requests for resources in
>    that space without receipt of another challenge from the server.
> 
> It says MAY, not MUST, not even SHOULD. I could not find any other part of
> the standard that suggests otherwise.
> 
> So if I understand it correctly, Zope is relying on browser behaviour that
> is not required by the standard. That would mean the problem is caused by
> Zope, not by some browsers.