On Sep 20, 2008, at 19:03, Maurizio Lotauro wrote:
> I just saw it. The 401 become after the whole file is sent.
Leave it to MS to allow for a DOS attack vector, ha!
As Maurizio said, we need to test this on a server that responds after
the headers are sent (before the payload).
> It's IE trying to upload a file to IIS 5.1 and basic authentication is
> required.
But isn't "basic authentication" handled in the way I mentioned before,
that is, you close the connection when you receive the error from the
server, and re-send the request with the auth header? I thought that
the problem had to do with the specific NTLM authentication method,
which required a challenge-response within the same session. (Boy, I
should really go read up on that NTLM thing!)
I don't have access to a server accepting NTLM authentication, so I
can't test for this.
> Should the 401 be considered an error?
Yes. Success responses are start in the 200-299 range. Fatal error
responses are in the 500-599 range, and 400-499 represent transient
errors. This is typical of most "classic" Internet high-level
protocols. The 401 response code indicates a recoverable error: the
server rejected the request because it requires authentication, you
just need to resend the request with the appropriate credentials.
As originally intended in the HTTP RFC, the protocol being stateless,
it was expected that the resonse would follow the request and complete
the session, and that the re-send would be an entirely new
connection/session. From what I understand now about NTLM (still need
to learn about it!), it requires the cycle to happen within the same
session, which counters the RFC, and thus is an exceptional case.
I'm guessing that at least one browser handles this properly, otherwise
NTLM would be completely useless.
dZ.
--
DZ-Jay [TeamICS]
http://www.overbyte.be/eng/overbyte/teamics.html
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
