[Exuserfolder-users] Re: [Zope] Webdav and cookie based authentication: exUserFolder compared to cookie crumbler

Andrew Kenneth Milton akm@theinternet.com.au
Mon, 28 Oct 2002 03:11:35 +1000


+-------[ Jens Vagelpohl ]----------------------
| actually, the "most correct" way would be for the cookie handling in 
| exUserFolder to sniff the request and try to determine if it is a 
| webdav request. i think that's how the CookieCrumbler does it, and 
| that's what i do for the LDAPUserFolder.
| 
| cookie handling is a horrible mess in general, though. it is extremely 
| hard to "do the right thing" under all circumstances. that's why i 
| personally have taken to telling people "use cookie crumbler" and why 
| there will no longer be cookie support built into the LDAPUserFolder 
| itself once version 2.0 comes out.

Unfortunately the credentials are easily sniffed out of cookies set by
CookieCrumbler (and XUF in non-secure cookie mode).

If FTP works with XUF, I don't see why DAV shouldn't work either. I know
FTP *used to* work. Perhaps the folks responsible for the validate 
overhaul would like to comment about now.

-- 
Totally Holistic Enterprises Internet|                      | Andrew Milton
The Internet (Aust) Pty Ltd          |  M:+61 416 022 411   |
ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon