I've been running some M-Pin sessions capturing
and looking at the traffic between the Miracl
Javascript client and Python RP server.
Among other things, I see repeated unsuccessful calls:
POST /rps/accessnumber HTTP/1.1^M
....
Content-Type: text/plain;charset=UTF-8^M
Cookie: mpindemo_session="..."^M
^M
{"webOTT":"13468f969413889e287a69ddc526fef6"}
(aside: that's JSON being sent as text/plain)
Now the response to this is a 401, with other HTTP headers
whose legitimacy might be in question, and no body:
HTTP/1.1 401 Unauthorized^M
Server: TornadoServer/4.1^M
Www-Authenticate: Authenticate^M
[more]
I guess the "Authenticate" value to WWW-Authenticate is handled
by the Javascript, but shouldn't the browser itself be presented
with something it knows? Conventional values are Basic or Digest
(with appropriate parameters).
What I'm seeing is what looks like "undefined" browser behaviour
in response to an unknown WWW-Authenticate. That is to say, the
browser sends off an identical request and receives an identical
reply, repeated many times while slower human interaction takes
place as I (successfully or otherwise) log in.
Also, at no point in the interaction is there a successful
call to /rps/accessnumber . Always 401 as above.
How much of this is intentional, and why?
--
Nick Kew
