-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would have hoped for a few more opinions before doing that... please don't be so quick next time.


jens


On 27 May 2006, at 22:40, Wichert Akkerman wrote:

Ok, I'll change PAS to behave like CookieCrumbler on trunk.

Wichert.


Previously Chris McDonough wrote:
I imagine it's an accident of implementation.

On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 27 May 2006, at 20:37, Wichert Akkerman wrote:

I was investigating a plone bug (http://dev.plone.org/plone/ticket/
5355)
and it is caused by PAS behaviour. The problems boils down to
logic in
CookieAuthHelper.extractCredentials: if a cookie is present the
credentials are extracted from it and form fields are ignored. This
means that if we have a cookie containing credentials which no longer authenticate it becomes impossible to login as a different user since
the form data is never seen.

Looking at the equivalent in the CookieCrumbler code (method
modifyRequest) it seems the cookie crumber does it the other way
around and will look for form data before looking for the cookie.
I'd be interested to find out the rationale for weighting cookie
information higher than form data. Does anyone remember?

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEeMMtRAx5nvEhZLIRAk2jAKC10jUqyQphNPvjehDWmP9bXmhDvACgjvwZ
vGn0MPGP/Ueu77mQOj+c2C4=
=k3jP
-----END PGP SIGNATURE-----
_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas


_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas

--
Wichert Akkerman <[EMAIL PROTECTED]>    It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEeMhmRAx5nvEhZLIRAmTRAJ9Lh0BfAVgqZzzU16PT03DXRWQ8FgCeI+e9
QY9D7oTueEquHED+MoVuqSQ=
=Qhmc
-----END PGP SIGNATURE-----
_______________________________________________
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas

Reply via email to