Hi there,
On 8 Nov 2002, Brett Hales wrote:
> I believe that there is a bug in the Apache::AuthenNTLM module.
Did you see this?
73,
Ged.
----------------------------------------------------------------------
Date: Thu, 7 Nov 2002 17:46:15 -0600 (CST)
From: Gerald Combs <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: NTLM Authentication patch
We recently installed AuthenNTLM where I work, and ran into the POST
problems described in the thread at
http://marc.theaimsgroup.com/?t=103177365400006&r=1&w=2
After looking through a couple of network traces I think I've found the
problem. It appears that after IE authenticates via NTLM, it sends type 1
messages for subsequent requests during a keepalive session. This is fine
and dandy unless you're sending a POST request - when it sends the type 1
message, it also sends a "Content-length: 0", and doesn't append the POST
data. Since the browser has successfully authenticated itself earlier in
the keepalive session, AuthenNTLM validates the request and a POST with no
accompanying POST data gets passed to the server.
Attached is a patch against the 0.21 release that fixes this behavior (in
our environment, at any rate). I know very little about NTLM
authentication and mod_perl coding, so the patch may not be entirely
correct.
