[Zope] authentication problem

Stuart Bishop zen@shangri-la.dropbear.id.au
Sun, 9 Sep 2001 14:55:09 +1000


On Tuesday, September 4, 2001, at 09:15 PM, Richard Barrett wrote:

> I'm not familiar with OmniWeb but the relevant RFC2617 says:
>
> "A client SHOULD assume that all paths at or deeper than the depth of 
> the last symbolic element in the path field of the Request-URI also are 
> within the protection space specified by the Basic realm value of the 
> current challenge. A client MAY preemptively send the corresponding 
> Authorization header with requests for resources in that space without 
> receipt of another challenge from the server."
>
> My note: the client "MAY preemptively ...", not MUST.

[...]

> Maybe it is time to patch Zope so that it is RFC standards conformant ??

The only way I can see of doing this would be to make cookie based
authentication the default, or to write a new HTTP RFC and get it
accepted by all the browser maintainers out there. Note that the
problem not only occurs in the management interface, but anywhere
on your site that a page renders differently depending on if
it is viewed by an Anonymous client or an authenticated client.
It will probably only affect fringe dwellers (like myself - I will
be buying Omniweb if this behaviour is changed) unless Microsoft
decide to change IE's behaviour.

The CoreSessionTracking product, when integrated into Zope core, might
also provide an alternative if it could maintain session based on
URL instead of cookies (can it do this now?).

--
Stuart Bishop <zen@shangri-la.dropbear.id.au>