[Zope] Webdav and cookie based authentication: exUserFolder compared to cookie crumbler

Jens Vagelpohl jens@zope.com
Sun, 27 Oct 2002 11:03:26 -0500


actually, the "most correct" way would be for the cookie handling in 
exUserFolder to sniff the request and try to determine if it is a 
webdav request. i think that's how the CookieCrumbler does it, and 
that's what i do for the LDAPUserFolder.

cookie handling is a horrible mess in general, though. it is extremely 
hard to "do the right thing" under all circumstances. that's why i 
personally have taken to telling people "use cookie crumbler" and why 
there will no longer be cookie support built into the LDAPUserFolder 
itself once version 2.0 comes out.

jens


On Sunday, Oct 27, 2002, at 09:35 US/Eastern, Heimo Laukkanen wrote:

> Andrew Kenneth Milton wrote:
>
>> DAV doesn't work with cookie auth. Cookie Crumbler only works with
>> Basic Auth folders.
>> XUF used to try to fall back to Basic Auth if you had specified cookie
>> auth, but, I'm not sure if someone has changed the way that worked.
>
> Ok. Thanks Andrew for the fast reply and your work within the great
> product ,-)
>
> Conclusion then is, that it is - atleast for now - better to use 
> cookie crumbler from CMF to provide the cookie-based auth and keep the 
> user folder in http-authentication mode, if you want to have also 
> webdav-access to the service.
>
> This atleast works for me now on Zope 2.6 + CMF 1.3, keeping passwords 
> in
> PostgreSql-database.
>
> Cheers,
>
> -huima
>