[Product-Developers] Java applet reads __ac cookie: zope-root/acl_users vs plone-root/acl_users

David Glick (Plone) david.glick at plone.org
Mon Dec 10 17:16:31 UTC 2012

On 12/10/12 7:32 AM, Jochen Dekeyser wrote:
> Hi,
> I am working with Plone 4.1.6. I made a product which includes a Java
> applet. This applet is used to read a file (=ATBlob) from the plone site and
> display it. When a user has logged in, and the ATBlob has status "Private",
> the applet can read the file by using the __ac cookie. If it would not use
> this cookie, the applet is redirected to
> plone-root/acl_users/credentials_cookie_auth/require_login?came_from=...
> because it can not authenticate...
> When I use user admin (or an other user in zope-root/acl_users), this works.
> When I use a regular plone-user (in plone-root/acl_users), this does not
> work. The applet can not read the __ac cookie, for some unknown reason. When
> I check my browser, I can lookup the __ac cookie of the plone-user, so it is
> certainly there...
> Is there some difference between zope-root/acl_users and
> plone-root/acl_users which can explain this behaviour?
> I searched for days... Any help welcome!
This is probably because for users in Plone's acl_users the cookie is 
generated by plone.session which sets an HttpOnly cookie.

More information about the Product-Developers mailing list