I always log in to my development Zope instance using basic auth (e.g. http://localhost:8080/manage). But often the sites I work on have their own authentication credential checking routines (via cookies, usually) when I traverse into a subfolder (eg a CMF site). Historically this has been OK, because the cookie challenges never make it to me while I'm logged in as a management user because my basic auth credentials are sent to the server on each request. But Safari 3 actually either dumps its knowledge about basic auth credentials every so often, or just fails to send them to the server on subsequent requests (after say, 5 minutes of inactivity). What happens to me after Safari fails to send the credentials along on subsequent requests to my development system is that the cookie login stuff kicks in as the challenge because I'm usually traversing to a part of the site where the challenge code is no longer something that asks for basic auth credentials. And often I can't log in as the management user, because this challenge only checks user data in this part of the site. This is minor pain in the ass, so I'm using Firefox more these days (it doesn't seem to have this behavior). I was just wondering if anyone else had noticed this. Safari 2 didn't do this. I suppose this behavior is not a spec violation, but it does violate the rule of least surprise for dubious benefit ("security?")