On Tue, 15 May 2001, Chris Withers wrote:
> If so many browsers do this wrong (the list seems to currently be IE, Mozilla,
> Lynx and W3M... at Netscape and you'll have about 99% coverage ;-) maybe it's
> Zope that's wrogn by way of being in the minorty?
> peanut-gallery-ly yours,

The problem is, there is no way to "fix" zope to compensate for
what the browsers (aren't) doing, when you are talking about basic
auth.  The issue is, the ZMI (and probably a fair number of zope
apps) want to present different information to the viewer depending
on "who the viewer is".  To know who the viewer is, in a session-less
protocol, means that the client has to tell the server its identity
at the start of every transaction.  Now, with cookie based
authentication we can just look to see if the cookie exists, because
we always get passed that info.  The same is true with Basic
Authentication, *if and only if* the client always sends the basic
auth info with the transaction.  Which is why (my understanding
is) the http standard requires that basic auth info always be sent
by the client.  And thus Mozilla, lynx, and w3m *are* broken.

Now, if the ZMI were rewritten to be session based, and you used
a non-basic-auth based session, you could avoid the problem.
Want to volunteer to do the rewrite? <grin>

A workaround if you don't need non-Manager access to the ZMI, by
the way, is to disallow anonymous access to the 'manage_workspace"
method.  (On line 139 of the 2.3.2 version of App/Management.py
change 'Anonymous' to 'Manager') This only solves the problem for
the the ZMI, though; I have application pages that *have* to be
anonymously viewable but which I want to have "authed user" versions
of, so I'd really like the browsers to get fixed.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to