[Zope] Re: [Zope-dev] login prompt after letting user change his passwor d.

Behrens Matt - Grand Rapids Matt.Behrens@Kohler.Com
Thu, 25 Oct 2001 14:28:47 -0400 

[Moving to zope@zope.org, like I guess I should have done in the first 
place]

Clark OBrien wrote:

> When you say "the client is still sending the username/password". I
> don't use cookies
> but, because I only use relative urls, Zope seems to maintain the same
> security "context" thoughout the "session" (a relative url would be href
> = "dir1\dir2"). I am looking for some way to refresh this security
> "context" to use the new password.


When you log in to a site that uses basic auth, which Zope does by 
default, each HTTP request from your browser comes with your username 
and password.  It is totally separate from cookies (although cookies 
operate in much the same way.)  Your browser will continue sending the 
same username and password until it is closed or gets an Unauthorized 
message from the site.

Basically, Zope doesn't maintain that authentication.  Your browser 
does.  HTTP is designed that way.

 
> It is really confusing for the login to pop up at this point-
> particularly because
> it looks like it is asking for permissions to change the password (
> needs OLD password)


Unfortunately, that's the way it works.


> -----Original Message-----
> From: Behrens Matt - Grand Rapids [mailto:Matt.Behrens@Kohler.Com]
> Sent: Thursday, October 25, 2001 10:09 AM
> To: Clark OBrien
> Cc: 'zope-dev@zope.org'
> Subject: Re: [Zope-dev] login prompt after letting user change his
> password.
> 
> 
> Clark OBrien wrote:
> 
> 
>>Hi all
>>I have written some code to alow a user to change his password (below)
>>
>>The problem is that after executing this code  the login dialog pops
>>
> up.
> 
>>The login requires the user to enter his NEW password.
>>
> 
> 
> There is absolutely nothing wrong with that.
> 
> 
> Basic authentication works by sending the username and password with 
> each request.  You've changed the password on the server, but the client
> 
> is still sending the old password, which doesn't authenticate them any 
> longer.
> 
> The user'd have to do it sometime, why not right after their password is
> 
> changed?
> 
> BTW, the proper forum for this type of question is the main Zope mailing
> 
> list, <zope@zope.org>.
> 
> 



-- 
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture