[Zope-PAS] Challengers (and Zope 3)

Jim Fulton jim at zope.com
Thu Sep 30 13:43:01 EDT 2004

Mark Hammond wrote:
>>Which of these are possible to mix depends on client
>>implementation. For
>>example, here we notice that you can't put a redirect header and
>>authenticate header in one response:
>>The meta tag *might* work but that's kinda ugly.
> My reading of the relevant RFCs implies that it should be possible to have
> the actual login page as the body of the 401 message.
> It states:
>    If the 401 response contains
>    the same challenge as the prior response, and the user agent has
>    already attempted authentication at least once, then the user
>    should be presented the entity that was given in the response,
>    since that entity may include relevant diagnostic information.

I don't read that as support for a login page.  This is really
just a matter of giving teh user useful information, such as
the reason they can't be authenticated or the reason they need
to be authenticated in the first place.  There's no way to
provide a login page that the browser will understand.
Of course, the user could store the information entered some other
way to authenticate a session. Perhaps that's what you meant.


Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-PAS mailing list