On Sep 20, 2008, at 19:03, Maurizio Lotauro wrote: > I just saw it. The 401 become after the whole file is sent.
Leave it to MS to allow for a DOS attack vector, ha! As Maurizio said, we need to test this on a server that responds after the headers are sent (before the payload). > It's IE trying to upload a file to IIS 5.1 and basic authentication is > required. But isn't "basic authentication" handled in the way I mentioned before, that is, you close the connection when you receive the error from the server, and re-send the request with the auth header? I thought that the problem had to do with the specific NTLM authentication method, which required a challenge-response within the same session. (Boy, I should really go read up on that NTLM thing!) I don't have access to a server accepting NTLM authentication, so I can't test for this. > Should the 401 be considered an error? Yes. Success responses are start in the 200-299 range. Fatal error responses are in the 500-599 range, and 400-499 represent transient errors. This is typical of most "classic" Internet high-level protocols. The 401 response code indicates a recoverable error: the server rejected the request because it requires authentication, you just need to resend the request with the appropriate credentials. As originally intended in the HTTP RFC, the protocol being stateless, it was expected that the resonse would follow the request and complete the session, and that the re-send would be an entirely new connection/session. From what I understand now about NTLM (still need to learn about it!), it requires the cycle to happen within the same session, which counters the RFC, and thus is an exceptional case. I'm guessing that at least one browser handles this properly, otherwise NTLM would be completely useless. dZ. -- DZ-Jay [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be