Ticket #1 (defect)

Hello,

I am running a Pylons project using authkit under Apache, using plain CGI, with wsgiref as the server.

I noticed that if have

authkit.enable = true authkit.method = form authkit.users.setup = test:test authkit.cookie.secret = a random string authkit.cookie.signout = /signout

in my test.ini config file, and then i log in as a user (by going to a page whose controller raises a NotAuthenticatedError if REMOTE_USER is not set),

and then I edit the test.ini config file, changing the secret line to:

authkit.cookie.secret = a randomstring

and then in the web browser i simply reload the page (the same page which required authorization), i get an internal server error.

(strangely this doesn't seem to happen with all pairs of authkit.cookie.secret s, just some of them)

i find the following traceback in my log file:

File
'/home/filtere/lib/python2.4/site-packages/Paste-0.9.8.1-py2.4.egg/paste/exceptions/errormiddleware.py',
line 140 in __call__
  app_iter = self.application(environ, detect_start_response)
File
'/home/filtere/lib/python2.4/site-packages/Paste-0.9.8.1-py2.4.egg/paste/auth/auth_tkt.py',
line 253 in __call__
  timestamp, userid, tokens, user_data = parse_ticket(
File
'/home/filtere/lib/python2.4/site-packages/Paste-0.9.8.1-py2.4.egg/paste/auth/auth_tkt.py',
line 157 in parse_ticket
  expected=(expected, digest))
BadTicket: Digest signature is not correct

clearing the cookie in the browser seems to be the necessary at this point.

this probably won't be a frequent problem if it only occurs when the cookie secret is changed, however, it would still be desirable to avoid it -- when this sort of thing happens, the result shouldn't be an internal server error and a traceback, and the repetition of the problem until the user clears their cookie manually. Rather, in my opinion what should happen some sort of message somewhere, plus clearing the user's cookie, plus giving the user another login form.