[Zope] cookies don't obey me

[Dieter Maurer]

Roland Reumerman writes:
 > 1) When I set a cookie with the path set to the root
 >    <dtml-call "RESPONSE.setCookie('account',AUTHENTICATED_USER,path='/')">
Be careful with "cookies"!
The value of a cookie it quite severely restricted (must not contain
many characters; you read the cookie specification?).
In your case, the value is not a string at all but a
Zope object. "RESPONSE.setCookie" will probably convert the
object to a string for you. This will give you
"AUTHENTICATED_USER.getUsername()". However, I would feel
better, if this would be in your "setCookie" call.

Note, that probably Zope user names may contain characters not
allowed in Cookie values.

 > I'm still not able to click through to another hyperlink once I'm logged in, 
 > i.e., I've used www.ddi.nl/support to go the password protected Zope site, 
 > logged in as a customer, and from there I can choose other parts of the site 
 > (below .../support/). However, www.ddi.nl is an alias of 
 > www.datadistilleries.com (the actual name): as a result it asks me for the 
 > password again. I thought setting the path to '/' would convince Zope I'm 
 > authorized, but apparently it's not the case.
The path is a "local" path on your server.
Setting "path='/'" tells the browser to add the cookie to
any request going to your server. "path='/XXXX'" would tell
the browser to send it only for requests with paths beginning
with "/XXXX".
You cannot control with "path" to what server the cookie is
sent. There is the "domain" specification that gives you
some control over the servers that get the cookie.
I doubt, however, that this mechanism will allow you to 
send cookies defined by "www.ddi.nl" also to
"www.datadistilleries.com".

 > 2) This might be related to 1. I've created a logout link on the 
 > ..../support/index_html page, which looks as follows:
 > <dtml-call "RESPONSE.expireCookie('account',path='/')">
 > <dtml-call 
 > "RESPONSE.redirect('http://www.datadistilleries.com/support.html?section=m6&envelope=6')">
 > However, once I've been redirected I can still access the password protected 
 > ..../support/ site without Zope asking me for a login name.
There must be some magic, you did not yet tell us about.

Usually, setting a cookie has nothing to do with password
protection or authentication.

There must be something like a "login manager" that ties
Zope's security subsystem, login/logout and cookies together.
Usually, this "login manager" would do the cookie handling
transparently.

That you are concerned with the cookie seems to indicate
that you implement your own "login manager"?

The built in Zope authentication does not use cookies at all
but "basic authentication" as defined by HTTP.


Dieter