Mailing List Archive

Are you sure that you're not just seeing caching effects?

(Though I will admit that it seems mighty odd that you'd be logged in as
manager if you go to another machine :)

Kevin

----- Original Message -----
From: "Timothy Wilson" <wilson@visi.com>
To: <zope-ptk@zope.org>
Sent: Monday, February 14, 2000 12:54 PM
Subject: [Zope-PTK] morphing identity


> I've noticed that there are some problems with keeping users straight from
> one screen to another. I created a regular user account along with my
> manager account and noticed that as I move from screen to screen that
> sometimes my identity will change between the two. Also, I went to another
> computer to look at the site, and when I put in the URL it popped up with
> my manager account already logged in. That's probably not supposed to
> happen. :-)

On Mon, 14 Feb 2000, Kevin Dangoor wrote:

> Are you sure that you're not just seeing caching effects?
>
> (Though I will admit that it seems mighty odd that you'd be logged in as
> manager if you go to another machine :)

I thought of that, and it's a possibility because the machines are all
sitting behind a proxy server. That doesn't explain what happened when I
went to a different machine that I had never used to access the portal
before and found myself logged in as the portal manager.

Hitting shift-reload did fix the problem, but I don't see that behavior
when I'm accessing my regular, non-PTK Zope site.

Somebody try it and see what happens. The portal URL is
http://www.isd197.k12.mn.us:8888/isd197

-Tim

--
Tim Wilson | Visit Sibley online: | Check out:
Henry Sibley H.S. | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN | | http://slashdot.org/
wilson@visi.com | <dtml-var pithy_quote> | http://linux.com/

----- Original Message -----
From: "Timothy Wilson" <wilson@visi.com>
To: "Kevin Dangoor" <kid@kendermedia.com>
Cc: <zope-ptk@zope.org>
Sent: Monday, February 14, 2000 2:08 PM
Subject: Re: [Zope-PTK] morphing identity


> On Mon, 14 Feb 2000, Kevin Dangoor wrote:
>
> > Are you sure that you're not just seeing caching effects?
> >
> > (Though I will admit that it seems mighty odd that you'd be logged in as
> > manager if you go to another machine :)
>
> I thought of that, and it's a possibility because the machines are all
> sitting behind a proxy server. That doesn't explain what happened when I
> went to a different machine that I had never used to access the portal
> before and found myself logged in as the portal manager.
>
> Hitting shift-reload did fix the problem, but I don't see that behavior
> when I'm accessing my regular, non-PTK Zope site.

It's surprising that a regular reload wouldn't do the job. (Did you *have*
to shift-reload?)

I have found with Zope at times that IE (at least) doesn't recognize when
some of the data has changed.

> Somebody try it and see what happens. The portal URL is
> http://www.isd197.k12.mn.us:8888/isd197

It recognized that I am not logged in.

Kevin

On Mon, 14 Feb 2000, Timothy Wilson wrote:

> Hitting shift-reload did fix the problem, but I don't see that behavior
> when I'm accessing my regular, non-PTK Zope site.

This convinces me that you do indeed have some sort of cache between
your client boxes and the server, which is doing some really awful things.
Perhaps the difference in behaviour compared to your non-PTK site is due
to the fact that the PTK doesn't use HTTP-based authorization and your
vanilla Zope site probably does. I'm guessing that your cache uses this
as a part of the key it uses to find cached results.

Here's a quick-and-dirty fix (read: hack) to try; in
PTKBase/MemberFolder.py there are two lines which raise 'Login
Required'. They look like this:

raise 'Login Required', self.loginForm(self, request)

Replace this with "raise 'Unauthorized'". This will cause the
standard browser authentication window to pop up instead of redirecting
you to a login form. You should be able to log in using HTTP-auth and
avoid this caching nastiness.

I wouldn't advise doing this on a production site. I'd like to find a
better solution. Is there any way to explicitly say, "Do not cache this
page"? Or, preferably, "This page is user-dependant" or something
similar?

--
Mike Pelletier email: mike@digicool.com
Mild mannered software developer icq: 7127228
by day, super villain by night. phone: 519-884-2434

On Mon, 14 Feb 2000, Mike Pelletier wrote:

> On Mon, 14 Feb 2000, Timothy Wilson wrote:
>
> > Hitting shift-reload did fix the problem, but I don't see that behavior
> > when I'm accessing my regular, non-PTK Zope site.

I didn't try a plain "reload," but I'm nearly certain that it would have
the same effect as shift-reload.

> This convinces me that you do indeed have some sort of cache between
> your client boxes and the server, which is doing some really awful things.

I know that there's a cache. We use Novell's BorderManager to do all sorts
of proxying and Web caching (I don't admin that box, however).

> Perhaps the difference in behaviour compared to your non-PTK site is due
> to the fact that the PTK doesn't use HTTP-based authorization and your
> vanilla Zope site probably does. I'm guessing that your cache uses this
> as a part of the key it uses to find cached results.

Zope.org doesn't give me any trouble when I access it through our proxy.
Occasionally, however, when I go to Slashdot I find that I'm not logged in
any more and I need to enter my username/password combo to get back to my
custom view. I've never figured out any pattern to it though. I certainly
don't find myself logged in to Slashdot when I walk up to a machine that
I've never used before.

> Here's a quick-and-dirty fix (read: hack) to try; in
> PTKBase/MemberFolder.py there are two lines which raise 'Login
> Required'. They look like this:
>
> raise 'Login Required', self.loginForm(self, request)
>
> Replace this with "raise 'Unauthorized'". This will cause the
> standard browser authentication window to pop up instead of redirecting
> you to a login form. You should be able to log in using HTTP-auth and
> avoid this caching nastiness.

Will this break any other part of the PTK? The caching problem isn't a big
deal at this point since we're still just messing around with it.

> I wouldn't advise doing this on a production site. I'd like to find a
> better solution. Is there any way to explicitly say, "Do not cache this
> page"? Or, preferably, "This page is user-dependant" or something
> similar?

Again, I don't have any problems with Zope.org so is there something
different about the authentication?

-Tim

--
Tim Wilson | Visit Sibley online: | Check out:
Henry Sibley H.S. | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN | | http://slashdot.org/
wilson@visi.com | <dtml-var pithy_quote> | http://linux.com/

On Mon, 14 Feb 2000, Timothy Wilson wrote:

> > raise 'Login Required', self.loginForm(self, request)
> >
> > Replace this with "raise 'Unauthorized'". This will cause the
> > standard browser authentication window to pop up instead of redirecting
> > you to a login form. You should be able to log in using HTTP-auth and
> > avoid this caching nastiness.
>
> Will this break any other part of the PTK? The caching problem isn't a big
> deal at this point since we're still just messing around with it.

I gave you bad advice, don't do that. Instead, look for a DTML Method
called 'login_form' in your Portal object. Stick this in it somewhere:

<dtml-raise type="Unauthorized">
Please log in.
</dtml-raise>

As far as brakeage goes, nothing that I can think of will break but it
will make portions of the portal unavailable. Specifically, it will hide
the 'Mail me my password' link from you. You can make this link available
elsewhere, though.

The new 'LoginManager' based membership services will give us much
better control over stuff like this. It is due Real, Real Soon Now.

> Again, I don't have any problems with Zope.org so is there something
> different about the authentication?

Do multiple people from your LAN log into Zope.org? Try logging into
Zope.org, finding some page you've never seen before, and then viewing the
identical URL on another station.

Another thing to consider, you may have different caching policies for
local and external resources. This is really a job for your cache admin.

Mike.

--
Mike Pelletier email: mike@digicool.com
Mild mannered software developer icq: 7127228
by day, super villain by night. phone: 519-884-2434

From: Timothy Wilson [mailto:wilson@visi.com]
>
> I've noticed that there are some problems with keeping users
> straight from
> one screen to another. I created a regular user account along with my
> manager account and noticed that as I move from screen to screen that
> sometimes my identity will change between the two. Also, I
> went to another
> computer to look at the site, and when I put in the URL it
> popped up with
> my manager account already logged in. That's probably not supposed to
> happen. :-)
>

Uhoh. I think I know what goes wrong here.

Did you change things like the Roles on the manager account? If so, you
may inadvertadly have cleared the password field on that user. This is
due to an incomplete fix to the "password echoed iin password field box"
issue. When you submit the User form, with the password fiels empty, you
can be authenticated against this user without a password box ever
popping up, from anywhere in the network.

--
Martijn Pieters, Software Engineer
| Digital Creations http://www.digicool.com
| Creators of Zope http://www.zope.org
| mailto:mj@digicool.com ICQ: 4532236
| PGP:
http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
-------------------------------------------

On Mon, 14 Feb 2000, Mike Pelletier wrote:

> > Again, I don't have any problems with Zope.org so is there something
> > different about the authentication?

For those who didn't see my initial message... I was finding that I had to
keep reloading the pages at my Zope portal in order to keep the proper
membership information displayed. In other words, I would log in as
'wilson' go to a different page and possibly find that it said that I was
'guest'. Hitting reload corrected the problem.

Mike suggested:

> Do multiple people from your LAN log into Zope.org? Try logging into
> Zope.org, finding some page you've never seen before, and then viewing the
> identical URL on another station.

I tried this and found the same problem with Zope.org. I guess that our
Novell BorderManager proxy is caching Zope.org too. I'm not very familiar
with Border Manager, but I suppose we could fix it by telling 'Border' to
stop caching zope.org and my Zope portal. That seems like a brute force
kludge, however. Is there a way that Zope itself could handle this?

-Tim

--
Tim Wilson | Visit Sibley online: | Check out:
Henry Sibley H.S. | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN | | http://slashdot.org/
wilson@visi.com | <dtml-var pithy_quote> | http://linux.com/