[Ricardo Kustner]
Hi,
On Tue, May 09, 2000 at 09:12:49PM +0200, Harald Meland wrote:
Please write a patch which puts the string "Cookie could not be set" on the web page so that I can see that pressing submit will not work :-) i think thats a good point... it would safe some user questions if MM tells exactly why the authorisation failed. While I agree that such a warning would be nice, I don't think it's possible to do such things with cookies. it's possible to set a test cookie to see if cookies are enabled...
Ahh, I didn't even think of using multiple cookies :)
If I understand you correctly, you're proposing something like this:
Whenever Mailman is about to write a login page (i.e. the user is not already authenticated), it first issues a
Set-Cookie: Mailman_cookie_test="This cookie is only used to test whether your browser will be able to authenticate with Mailman"; Version=1
HTTP header (If other Mailman cookies set attributes like Path or Domain, the test cookie should mirror these to make the test reflect real usage).
Next, once the user has pressed the "Let me in..." button, Mailman checks whether the Cookie has been sent back. If it hasn't, authentication fails (as the user won't be able to make any changes anyway), and Mailman instructs the user to enable Cookies in her browser before retrying login.
If the test Cookie is present, Mailman should issue a
Set-Cookie: Mailman_cookie_test="clickety click"; Max-Age=0; Version=1
HTTP header (to delete the test cookie, so that the test cookie isn't later confused with test cookies for login attempts at other lists).
Finally, Mailman proceeds with password authentication as usual, possibly resulting in an authentication cookie.
Hmmmm... I guess the test cookie should contain info on what list it is for, as well.
Have I understood you correctly? Does anyone think that implementing this (apart from my misunderstandings, of course :) would be a bad thing?
And, while we're talking about cookies: Does anyone know whether switching from the cookie attribute "Expires" (which was part of the original Netscape cookie proposal) to the RFC2109 cookie attribute "Max-Age" is likely to cause any problems?
I've had a look at Cookie.py, and the value part of the Expires attribute isn't enclosed in double quotes (in accordance with the original Netscape cookie proposal), which I believe might confuse Mailman in some situations where the browser sends back more than one cookie.
Of course, if there are any (major) browsers in use out there that doesn't understand Max-Age, it would be a bad idea to change Mailman.
Harald