Maurizio Lotauro wrote:
> Scrive Fastream Technologies <[EMAIL PROTECTED]>:
>
>> Hello,
>>
>> I am trying to fix digest authentication coded by Peter. We have a big
>> problem with Internet Explorer. In the setup below, you will see a web page
>> requested without first sending the "Authorization:" header. Then the server
>
> I think that it is normal because you need some information from the server
> before starting the authentication.
It is in fact normal: The first request does not know that
authentication is required, so the server responds with 401 and the
credential requirements. The second request includes the credentials
and the server authenticates. But I don't think this was the problem
pointed out, was it?
>> 24.01.2006 13:31:57 From Remote
>>
>> HTTP/1.1 401 Authorization Required..WWW-Authenticate: Digest Basic
>> realm=localhost/%3EFastream.com/, uri="localhost/%3EFastream.com/",
>> qop="auth,auth-int", nonce="MjAwNi0wMS0yNCAxMzozMTo1Nw==",
>> opaque="ETimpfFSr8qhbccexiZCu80UjTzQdMUmMm"..Content-Length:
>
> Why Basic is right after Digest? It shold be in a separate header line:
>
> WWW-Authenticate: Digest realm=...
> WWW-Authenticate: Basic realm=...
As far as I know, you may list them in the same header in the order of
preference. Setting them in different headers will just squash them
into a flat list on the client-side. So these two are the same:
WWW-Authenticate: Digest Basic realm="foo"
and
WWW-Authenticate Digest realm="foo"
WWW-Authenticate Basic realm="foo"
The problem I see, as SZ pointed out, is that IE7 submitted the wrong
realm string, which is plainly wrong. Even though the server seemed to
have acquiesced to the request, because it returned +200 and content,
however he said that IE7 crashed after that.
I don't have IE7, so I cannot reproduce the problem -- in fact IE6.0
seems to work fine, but I haven't been able to test in more than "Basec"
authentication, as I do not have access to a server supporting Digest at
the moment.
Of course, it could be an IE7 bug -- perhaps Digest Authentication
hasn't been fully implemented, or some idiot left the realm hard-coded
as "Test" while debugging... In any case, is there any indication as to
what caused the crash or at what precise moment it occured?
SZ, is there a way you could set up a test server for some of us to test
with various clients? Also, could you send me a transcript of the HTTP
transaction with Firefor or Opera, just to see what is different?
dZ.
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
