[Zope-CMF] cookieless use problems

Tres Seaver tseaver@zope.com
14 Jul 2002 14:32:08 -0400 

On Sun, 2002-07-14 at 13:43, Kyler Laird wrote:
> > > > I recall way back when cookies were not required to use
> > > > CMF (or whatever it was called then).  I've been hoping
> > > > that cookies would become optional again, but I just
> > > > tried 1.3-beta2 and it looks like it's not going to
> > > > happen anytime soon.
> > > 
> > > How so? Just delete the CookieCrumbler object and cookies are no longer
> > > required...
> 
> Well, as I explained, it's just not that easy - if you want
> it to work well.  It's certainly not as easy as choosing
> "Don't use cookies." on a form.  (That's how easy I need it
> to be for users.)
> 
> > Authentication without cookies *does* work fine;  as Chris says, just
> > remove the 'cookie_authentication' object from the site, and go back to
> > the authentication used by default by your user folder.
> 
> O.k., in case anyone *is* reading what I'm writing...
> 
> HTTP authentication is getting a little more tricky.  Being
> sloppy with trailing slashes causes it to *break* on some
> browsers.  CMF is sloppy with trailing slashes.  If I have
> not explained the situation clearly and someone would like
> more help understanding what is necessary to clean up the
> links, please tell me.

RFC 2617, section 2, states WRT basic auth:

   A client SHOULD assume that all paths at or deeper than the depth of
   the last symbolic element in the path field of the Request-URI also
   are within the protection space specified by the Basic realm value of
   the current challenge. A client MAY preemptively send the
   corresponding Authorization header with requests for resources in
   that space without receipt of another challenge from the server.

If what you are asking is that the default skin / actions always
append a slash to the 'portal_url' when constructing a URL for the
root of the CMF site, that is fine, and easy;  submit it as a patch
against the relevant files to the collector.

What is *not* easy is getting Basic auth to "fire" for the "bare" site
URL if you also permit anonymous access to the root of the site.  Unless
you have a "login" link which looks something like
'path/to/cmf_site/?force_basic_auth=1', and then have some traversal
majyk which looks for the query string, I can't foresee how to
accomplish your goal.  It gets worse if you expect some portions of the
site to be protected, but not others;  browsers which behave as you
describe are going to prompt twice *anyway*.

BTW, The 'login_form' is useless under Basic Auth, anyhow;  the browser
won't use those form values to synthesize the 'Authorization' header
(mis-named, it should be 'Authentication') anyway.


Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com