I imagine it's an accident of implementation.

On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 27 May 2006, at 20:37, Wichert Akkerman wrote:

I was investigating a plone bug (http://dev.plone.org/plone/ticket/ 5355) and it is caused by PAS behaviour. The problems boils down to logic in
CookieAuthHelper.extractCredentials: if a cookie is present the
credentials are extracted from it and form fields are ignored. This
means that if we have a cookie containing credentials which no longer
authenticate it becomes impossible to login as a different user since
the form data is never seen.

Looking at the equivalent in the CookieCrumbler code (method modifyRequest) it seems the cookie crumber does it the other way around and will look for form data before looking for the cookie. I'd be interested to find out the rationale for weighting cookie information higher than form data. Does anyone remember?

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEeMMtRAx5nvEhZLIRAk2jAKC10jUqyQphNPvjehDWmP9bXmhDvACgjvwZ
vGn0MPGP/Ueu77mQOj+c2C4=
=k3jP
-----END PGP SIGNATURE-----
_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas


_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas

Reply via email to