[Grok-dev] New sample app: LoginDemo

Luciano Ramalho luciano at ramalho.org
Sun Dec 30 15:17:51 EST 2007

Hey, Brandon, thanks for the tips!

Similar to your method (1), but requiring no special configuration:
you can use localhost,,, and so on to
access the loopback interface and authenticate as many times as you
will probably need.

Your method (2) reminded me of what the Zope 2 ZMI does when you hit
logout: it redirects to an URL that alway generates a Forbidden error,
and that makes the browser give up on re-sending the previous username
and password, provided the user hits cancel in the authentication

So we actually know at least 6 different ways of dealing with this
issue, but none of them are real solutions, just workarounds.

I think the Grok admin UI should adopt session authentication so we
don't have to continue working around this limitation of HTPP basic
authentication for another 10 years...

Best regards,


On Dec 30, 2007 4:57 PM, Brandon Craig Rhodes <brandon at rhodesmill.org> wrote:
> I've seen two solutions over the years:
>  (1) An ssh connection back to my own machine that port-forwards.
>      This works because Firefox, at least, seems to consider - for
>      example - localhost:8080 and localhost:8090 to be different
>      servers that should not be given the same Basic Auth info (oddly
>      enough, it *does* seem to give both "servers" the same cookies!).
>      This is created with:
>       $ ssh -N -L 8090:localhost:8080 localhost
>      from my command line.  Typically I log on with my "admin" user to
>      the 8080 port, and then have 8090 free to be another user.
>  (2) Re-authenticate with a wrong username and password.
>      Once you're logged into a site, like localhost:8080, as a
>      particular user through Basic Auth, you can "unauthenticate" and
>      make Firefox forget whose username and password you'd entered by
>      entering a "username at password" prefix in the URL.  So if I've
>      been acting as "admin" for a while and want to stop, I re-type
>      the current URL as something like:
>        http://foo:bar@localhost:8080/main
>      and since there's really no "foo" or "bar" user, an
>      authentication error comes up and I can hit "cancel" and am no
>      longer logged in.  (At least, I seem to remember it working that
>      way!)
> I have been planning to do a little article on the whole subject of
> authentication, including both of these hints, once we have the new
> web site.
> --
> Brandon Craig Rhodes   brandon at rhodesmill.org   http://rhodesmill.org/brandon
> _______________________________________________
> Grok-dev mailing list
> Grok-dev at zope.org
> http://mail.zope.org/mailman/listinfo/grok-dev

More information about the Grok-dev mailing list