Ok, I'll change PAS to behave like CookieCrumbler on trunk. Wichert.
Previously Chris McDonough wrote: > I imagine it's an accident of implementation. > > On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > > > >On 27 May 2006, at 20:37, Wichert Akkerman wrote: > > > >>I was investigating a plone bug (http://dev.plone.org/plone/ticket/ > >>5355) > >>and it is caused by PAS behaviour. The problems boils down to > >>logic in > >>CookieAuthHelper.extractCredentials: if a cookie is present the > >>credentials are extracted from it and form fields are ignored. This > >>means that if we have a cookie containing credentials which no longer > >>authenticate it becomes impossible to login as a different user since > >>the form data is never seen. > > > >Looking at the equivalent in the CookieCrumbler code (method > >modifyRequest) it seems the cookie crumber does it the other way > >around and will look for form data before looking for the cookie. > >I'd be interested to find out the rationale for weighting cookie > >information higher than form data. Does anyone remember? > > > >jens > > > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.4.1 (Darwin) > > > >iD8DBQFEeMMtRAx5nvEhZLIRAk2jAKC10jUqyQphNPvjehDWmP9bXmhDvACgjvwZ > >vGn0MPGP/Ueu77mQOj+c2C4= > >=k3jP > >-----END PGP SIGNATURE----- > >_______________________________________________ > >Zope-PAS mailing list > >Zope-PAS@zope.org > >http://mail.zope.org/mailman/listinfo/zope-pas > > > > _______________________________________________ > Zope-PAS mailing list > Zope-PAS@zope.org > http://mail.zope.org/mailman/listinfo/zope-pas -- Wichert Akkerman <[EMAIL PROTECTED]> It is simple to make things. http://www.wiggy.net/ It is hard to make things simple. _______________________________________________ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas