Microsoft's Hotmail uses the propietry HTTPMail protocol to allow Outlook Express and
MSN Messanger to access Hotmail webmail accounts. This is a simple WEBDAV
(http://www.webdav.org) based protocol which suppose to be an HTTP extension. I work
in an open source project which uses LWP to access hotmail through this protocol (see
https://sourceforge.net/projects/httpmail/)
Recently the login process in hotmail servers was changed in a way that two
WWW-Authentications are performed during a single LWP::UserAgent 'request'. This has
broke our LWP::UserAgent based client.
This is summery of the first line of each request and response with additional fields
in brackets (I hope its clear...):
1. PROPFIND /svcs/hotmail/httpmail.asp HTTP/1.1
HTTP/1.1 302 Object moved (Location: http://oe.hotmail.com/cgi-bin/hmdata)
2. PROPFIND /cgi-bin/hmdata HTTP/1.1
HTTP/1.1 401 Authorization Required (WWW-Authenticate: Digest
realm="hotmail.com"...)
3. PROPFIND /cgi-bin/hmdata HTTP/1.1 (Authorization: Digest
username="[EMAIL PROTECTED]"...)
HTTP/1.1 302 Redirected (Location:
http:[EMAIL PROTECTED]?)
4. PROPFIND [EMAIL PROTECTED]? HTTP/1.1
HTTP/1.1 401 Authorization Required (WWW-Authenticate: Digest
realm="hotmail.com"...)
5. PROPFIND [EMAIL PROTECTED]? HTTP/1.1 (Authorization: Digest
username="email"...)
HTTP/1.1 302 Redirected (Location:
http://loginnet.passport.com/digest.srf?parameters)
6. PROPFIND /digest.srf?parameters HTTP/1.1
HTTP/1.1 401 Unauthorized (WWW-Authenticate: Digest realm="Microsoft Passport"...)
7. PROPFIND /digest.srf?parameters HTTP/1.1 (Authorization: Digest username="email"...)
HTTP/1.1 302 Redirect to partner (Location:
http:[EMAIL PROTECTED]?parameters)
8. PROPFIND [EMAIL PROTECTED]?parameters HTTP/1.1
HTTP/1.1 207 Multi-Status (Success!)
LWP::UserAgent does not support such dual authentication proccess: it continues to
send the same 'Authorization' after redirections and then fails to authenticate to the
second server since different realm is used.
In order for LWP::UserAgent to work for this mess I did little patch in 'sub request',
so that the 'Authorization' is removed after redirections:
$referral->url($referral_uri);
$referral->remove_header('Host', 'Cookie', 'Authorization'); # Remove the
authorization after redirect
$response->request->{digest_user_pass} = (undef, undef); # Make sure
LWP::Authen::Digest forget the first authentication
Instead of:
$referral->url($referral_uri);
$referral->remove_header('Host', 'Cookie');
This is clearly the wrong way, and will break some other code. Can you offer a way to
do it the right way (inheritence, etc.)?
Is this an implementation error of Hotmail or of LWP::UserAgent? I couldn't figure the
right behaviour from the HTTP rfc.
That's a long exmplenation. Thanks for your time!
Uri C.
