----- Original Message ----- From: "DZ-Jay" <[EMAIL PROTECTED]> To: "ICS support mailing" <twsocket@elists.org> Sent: Tuesday, January 24, 2006 7:25 PM Subject: Re: [twsocket] Need help with RFC2617 and IE bug
> Maurizio Lotauro wrote: >> Scrive DZ-Jay <[EMAIL PROTECTED]>: >> >>> Fastream Technologies wrote: >>>> Hello, >>>> >>>> Thank you both for your replies. I found the problem myself: IE6 has a >>>> bug >>>> that makes it expect a comma before Realm="...". >>> That's really weird. Does adding the comma break it on Firefox or >>> Opera? The RFC does not specify that a comma is required, only >>> whitespace, and that [param]=[value] is what denotes a parameter. >> >> Comma is used to separate each [param]=[value] pair. > > > RFC2617 says that the authentication parameters is a comma-separated > list -- that is if there are more than one parameter, they are separated > by comma. In this case, Realm is only *one* parameter. The comma after > the authentication method token is (or should be) invalid: > > > "1.2 Access Authentication Framework > [...] > HTTP provides a simple challenge-response authentication mechanism that > MAY be used by a server to challenge a client request and by a client to > provide authentication information. It uses an extensible, > case-insensitive token to identify the authentication scheme, followed > by a comma-separated list of attribute-value pairs which carry the > parameters necessary for achieving authentication via that scheme." > > > Furthermore, it adds the following warning, acknowledging that more than > one authentication token will complicate parsing: > > > "Note: User agents will need to take special care in parsing the WWW- > Authenticate or Proxy-Authenticate header field value if it contains > more than one challenge, or if more than one WWW-Authenticate header > field is provided, since the contents of a challenge may itself contain > a comma-separated list of authentication parameters." > > And lastly, here's an example provided in section 3.5: > > "3.5 Example > > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Digest > realm="[EMAIL PROTECTED]", > qop="auth,auth-int", > nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", > opaque="5ccc069c403ebaf9f0171e9517f40e41" > " > > As you can see, "realm", "qop", "nonce", and "opaque" are separated by > commas, since they are part of the parameter list; but there is no comma > between Digest and this list, since the parameter list qualifies as a > semantic token and the authentication tokens are whitespace delimited. I have read the RFC but as I wrote half an hour ago, it is the MS guys that did not read it well. Or perhaps they developed when the RFC was a draft which has later been changed. > > Conclusion: I believe that IE has a bug that does not comply with > RFC2617 -- perhaps this is originally an IIS bug of serving the headers > wrongly; but the browser is so popular that the broken authentication > mechanism is reproduced by most other servers and clients in order to be > compatible. I fully agree. However we need to support both standards otherwise we would be sacrificing 80% of the surfers. Regards, SZ > > dZ. > > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://www.elists.org/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
