I imagine it's an accident of implementation.
On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 27 May 2006, at 20:37, Wichert Akkerman wrote:
I was investigating a plone bug (http://dev.plone.org/plone/ticket/
5355)
and it is caused by PAS behaviour. The problems boils down to
logic in
CookieAuthHelper.extractCredentials: if a cookie is present the
credentials are extracted from it and form fields are ignored. This
means that if we have a cookie containing credentials which no longer
authenticate it becomes impossible to login as a different user since
the form data is never seen.
Looking at the equivalent in the CookieCrumbler code (method
modifyRequest) it seems the cookie crumber does it the other way
around and will look for form data before looking for the cookie.
I'd be interested to find out the rationale for weighting cookie
information higher than form data. Does anyone remember?
jens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEeMMtRAx5nvEhZLIRAk2jAKC10jUqyQphNPvjehDWmP9bXmhDvACgjvwZ
vGn0MPGP/Ueu77mQOj+c2C4=
=k3jP
-----END PGP SIGNATURE-----
_______________________________________________
Zope-PAS mailing list
[email protected]
http://mail.zope.org/mailman/listinfo/zope-pas
_______________________________________________
Zope-PAS mailing list
[email protected]
http://mail.zope.org/mailman/listinfo/zope-pas
