New submission from Michael Pedersen <>:

Stumbled across an odd issue last night: If a username has an exclamation in it,
and that username is returned as is from an IIdentifier, then the auth_tkt
cookie will be invalid. For instance, if my login were "Pedersen!", the auth_tkt
cookie would look like this:


When the ticket is parsed later, the username returned from the auth_tkt will be
"Pedersen" (since it splits on !). It would be much nicer if the code were to
use urllib.quote and urllib.unquote on the returned username to ensure that such
oddball characters do not pose a problem ever.

I'll probably try to fix this myself this week, but if I don't get the chance, I
figured at least having the bug listed here would be a good thing.

messages: 266
nosy: pedersen
priority: bug
status: unread
title: repoze.who Identifier Issue

Repoze Bugs <>
Repoze-dev mailing list

Reply via email to