[Zope-dev] Re: Suggestion for small(?) change in BaseRequest.py.
Security effects?
Dieter Maurer
dieter at handshake.de
Fri Sep 3 14:00:50 EDT 2004
Tres Seaver wrote at 2004-9-3 08:56 -0400:
> ...
>I am worried that there may be third-party application code which relies
>on 'validate' to raise an exception. Returning the login form directly
>is not really a big win over a redirect; among other things, it messes
>up cacheability, because the URL no longer corresponds to the "real"
>content.
This can easily be controlled with cache control headers.
Not making a redirect would give the login form more control
on what to do after the login.
Currently, I would allow to work around a bug in
CookieCrumber (it does not include "QUERY_STRING" in its
"came_from"). Including additional request information
may be also interesting for some "POST" requests (that do
not have a meaningfull "QUERY_STRING").
--
Dieter
More information about the Zope-Dev
mailing list