[Zope] Subtle Authentication Problem with pages with Query Strings

Chris Kratz chris.kratz@vistashare.com
Sat, 1 Sep 2001 15:13:18 -0400 

We have run into subtle authentication problem and wondering if anyone has
any suggestions.

Part of our site is public, but most is private.  Here is a simplified
schematic:

Root
  |-Folder1
         |-Folder1a
         |-Folder1b
         |-Shared

Everything below Folder 1 is restricted and *should* prompt for name and
password if requested.  What we have seen is the following.

1. User requests /Folder1 and is prompted for authorization.User enters and
page displays.
2. index_html in Folder1 does a redirect to /Folder1/Folder1a (index_html)
3. They then click on a link on that page to take them to a index_html in
Folder1b.  The exact URL looks something like this:
/Folder1/Folder1b/index_html?method=Search
4. User get's a keyerror on Shared (accessed with a dtml-with)

What is so bizarre about this behavior is the fact that if they change the
URL to remove the query string (/Folder1/Folder1b/index_html) the page is
displayed as expected.  Once the page is displayed, if they then click a
link (or change the URL [to be])  identical to the link in step 3, the page
displays correctly.

I found through much experimentation that the issue appears to be with the
first request of a page using a query string.  It appears that if the page
is first requested without a query string, the authentication somehow
"sticks" and then any subsequent requests with a query string work for that
user (though no authorization is rerequested from the user).  It almost
appears that in some instances, that the query string somehow derails the
authentication dialog between zope and the browser.

Another interesting tidbit:
-Step 1 after authorization: AUTHORIZED_USER = username
-Step 2 AUTHORIZED_USER = username
-Step 3 AUTHORIZED_USER = Anonymous User (with query string) [Appears zope
thinks we haven't logged in yet]
-Remove Query String, AUTHORIZED_USER = username [Note, we didn't
reauthenticate]
-Add Query String again, AUTHORIZED_USER = username [Hmm, now it works]

Security wise, the only thing I have locked down is the "Access contents
information" on Folder 1 (and all children), requiring specific roles and
disallowing anonymous access.

I upgraded to 2.4.1 today, but still have this problem.
This is reproducable in various versions of IE, but am using 6.0 on test
machine.
We are at this point in time using the default HTTP authentication.

Fortunately in this instance I was able to fix the problem by changing the
link to first request the page without a query string and then subsequent
requests seem to always work.  But, it would be interesting to know if there
is something that I can do so that it will work regardless.  Bookmarked URLs
with query strings do not work in general unless authentication is done
ahead of time, then the bookmark may or may not work.

My hunch is that the best way to fix the problem will be to move to a cookie
based sessioning tool.  It appears to be a problem with the authentication
headers being sent to zope.  But wondered if anyone has had a similiar
problem or has any suggestions.

Thanks for your time,

-Chris