[Zope] Cookie Crumbler and querystrings

Ben Avery ben@thesite.org
Thu, 21 Nov 2002 16:38:09 +0000 

>>  > I am building a site where users must log in before being allowed 
>>  > access. For this I use Cookie Crumbler, but I have a problem with it:
>>  >  > There are some URLs with querystring information, e.g.
>>  > http://www.mysite.org/opportunity/cancel/?opp_id=29
>>  >  > The first time they try this link, the Cookie Crumbler redirects 
>> them  > back to the login page for username and password. But after 
>> they have  > logged in, they get taken back to
>>  > http://www.mysite.org/opportunity/cancel/index_html
>>  > without the querystring, which is necessary for the index_html 
>> method to  > function.
>>  >  > Is there a way to avoid this problem, and to maintain 
>> querystring  > through the CC login process?
>> Yes.
>>
>> Customize the "login_form".
>> It remembers the original URL in a hidden form control.
>> Add the "QUERY_STRING" to the value of this control.
>>
>>
>> Dieter
>>
> 
> It remembers the original URL as 'came_from' but without the original 
> querystring.
> By the time you get to login_form, the original QUERY_STRING value has 
> been lost, and it now contains the came_from.
> e.g.
> URL I'm trying to reach: http://www.mysite.org/opprtunity/cancel/?opp_id=29
> 
> cookie crumber redirects this to:
> http://www.mysite.org/login_form?came_from=http%3A//www.mysite.org/opportunity/cancel/index_html&retry= 
> 
> 
> so if I access QUERY_STRING, it is now:
> came_from=http%3A//www.mysite.org/opportunity/cancel/index_html&retry=
> and my original:
> opp_id=29
> has been lost :(
> 
> 
> Ben
> 


Okay,

I've fixed this by (rather clumsily) patching CookieCrumbler.py and 
login_form.dtml. the diffs are below:

CookieCrumbler.py
333d332
<                 querystring = req.get('QUERY_STRING', '')
336,337c335,336
<                 url = '%s?came_from=%s&qs=%s&retry=%s' % (
<                     page.absolute_url(), quote(came_from), 
quote(querystring), retry)
---
 >                 url = '%s?came_from=%s&retry=%s' % (
 >                     page.absolute_url(), quote(came_from), retry)

login_form.dtml
20,28d19
< <dtml-if qs>
<   <input type="hidden" name="qs" value="&dtml-qs;">
<   <dtml-in "qs.split('&')">
<   <dtml-let name="_['sequence-item'].split('=')[0]"
<             value="_['sequence-item'].split('=')[1]">
<   <input type="hidden" name="&dtml-name;" value="&dtml-value;">
<   </dtml-let>
<   </dtml-in>
< </dtml-if>
<

so CookieCrumbler.py picks up the URL of the original page before the 
redirection, and stores this in the url as 'qs'

then login_form.dtml, if qs is picked up as a querystring parameter, 
unpacks this into a series of hidden inputs.
it also replaces qs as a hidden input in case the login fails and is 
retried.


Ben