[Zope] Re: CookieCrumbler problem

Tres Seaver tseaver at zope.com
Wed Oct 13 22:30:41 EDT 2004 

Gordon Lai wrote:
> Hi,
> 
> I'm having a problem with CookieCrumbler 1.24. I'm trying to use it with 
> Zope 2.7.2, Python 2.3.4, and LDAPUserFolder 2.4beta3. I want CC to show 
> my login.html when a user accesses a protected folder, but this doesn't 
> happen; the basic auth dialog still pops up. I enter a username and 
> password that authenticates correctly with my LDAP server and then my 
> login.html shows up. On this page I have to enter a correct username, 
> but then any gibberish in the password field will allow me to login; 
> this basically means that the dialog box was doing the real login and 
> this login.html wasn't doing much. I can then logout by clicking a link 
> that calls a Python Script that calls logout() in CC (is this the 
> correct way to logout? CC doesn't have any docs, so I perused its code 
> and found logout()). But now when I try to access the folder again I get 
> instantly logged out because I have code at the top of my index.html ZPT 
> that detects if a session object exists, and if it doesn't it will 
> logout the user. Since I've logged out, a session object does not exist. 
> Basically, the login process is being completely bypassed and I'm 
> hitting index.html directly.
> 
> The correct login process that I have set up is as follows:
> 
> 1) CC shows my login.html.
> 2) The user logs in, which calls index.py.
> 3) index.py creates a new session and then calls index.html
> 
> This was working for some time before "something happened" and I am now 
> seeing the above wrong behavior. What am I doing wrong?

It sounds as though 'login.html' is protected;  what happens if you 
cancel out when the basic auth dialog pops up?  What happens there is 
that you get a 401 (because the login form is protected), and the cookie 
crumbler doesn't intercept it (because it knows it is trying to 
challenge already).  Then, when you supply basic auth credentials, Zope 
renders the form, but at this point the browser is already including the 
'Authenticate:' header, which makes the login POST handler irrelevant.

BTW, I would recommend installing VerboseSecurity, if the traceback 
doesn't give you enough information:

   http://hathawaymix.org/Software/VerboseSecurity

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope mailing list