Ok, I'll change PAS to behave like CookieCrumbler on trunk.
Previously Chris McDonough wrote:
> I imagine it's an accident of implementation.
> On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >On 27 May 2006, at 20:37, Wichert Akkerman wrote:
> >>I was investigating a plone bug (http://dev.plone.org/plone/ticket/
> >>and it is caused by PAS behaviour. The problems boils down to
> >>logic in
> >>CookieAuthHelper.extractCredentials: if a cookie is present the
> >>credentials are extracted from it and form fields are ignored. This
> >>means that if we have a cookie containing credentials which no longer
> >>authenticate it becomes impossible to login as a different user since
> >>the form data is never seen.
> >Looking at the equivalent in the CookieCrumbler code (method
> >modifyRequest) it seems the cookie crumber does it the other way
> >around and will look for form data before looking for the cookie.
> >I'd be interested to find out the rationale for weighting cookie
> >information higher than form data. Does anyone remember?
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.4.1 (Darwin)
> >-----END PGP SIGNATURE-----
> >Zope-PAS mailing list
> Zope-PAS mailing list
Wichert Akkerman <[EMAIL PROTECTED]> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
Zope-PAS mailing list