Re: BASIC authentication Issues with IE - Part II - Solved but WHY?

From: hector (nospam_at_nospam.com)
Date: 03/26/04


Date: Fri, 26 Mar 2004 10:55:37 -0500

Ken,

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23IZcmOzEEHA.240@tk2msftngp13.phx.gbl...
> a) If different IE windows are running in separate IExplore.exe processes,
> they will not share credential information. Check using Task Manager, and
> Process Explorer etc to see what's going on.

Interesting.

Only one IEXPLORE.EXE instance when the second window was opened.

No problem!! Why???

Hmmmm, OH, I had OUTLOOK opened!!! Lets try closing OE and try it again.

Ok, I'm back... Yup! Same problem.

> b) Some of the stuff you have posted is a little incoherent. I suggest you
> download Ethereal (www.ethereal.com), and put a trace on the network to
see
> what's going on.

Not necessary. We have complete control of the Request and Response
logging. The only think the packet sniffer will offer is possibly looking
at a TCP reset issue, but that is not whats going on here. See the HTTP
REQUEST and RESPONSE logging below to show you whats going on.

> c) What should happen: if you authenticate to a website, then IE should
> continue to send your username/password to the website until the browser
is
> closed -or- the website says that those credentials are not acceptable.
Some
> users check the "remember password" option, but forget that they did so.

Doesn't apply. Do you get a moment to try what I did? I just got a
report from beta tester saying this is known problem with ASP when you
switch domains, local machine (default file home page) to a web domain. He
said he reported to Microsoft last year.

Here is the summary of the request and response (I cut out what is not
necessary). using my local machine web server.

-------Request-----------
GET / HTTP/1.1
Host: hdev1
Connection: Keep-Alive

-------Response----------
HTTP/1.0 302 Found
Server: Wildcat/v6.0.451.1
Location: http://hdev1/public/
X-Powered-By: Wildcat.Net
Content-Type: text/html

Here the unauthenticate request come in and the web server redirect it to a
public folder home page with a login link.

-------Request-----------
GET /login?mode=HTML HTTP/1.1
Referer: http://hdev1/public/default.htm
Host: hdev1
Connection: Keep-Alive

Here I clicked on the LOGIN link.

-------Response----------
HTTP/1.0 401 Unauthorized - user not logged in
Server: Wildcat/v6.0.451.1
Cache-Control: no-cache
X-Powered-By: Wildcat.Net
Content-Type: text/html
WWW-Authenticate: basic realm="Santronics Research"
Date: Fri, 26 Mar 2004 05:02:30 GMT

A 401 response is sent with a WWW-Authenticate header. This will tell the
browser to popup the login dialog.

-------Request-----------
GET /login?mode=HTML HTTP/1.1
Referer: http://hdev1/public/default.htm
Host: hdev1
Connection: Keep-Alive
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=

The browser pops up the dialog and I log in. The authorization line is set
by the browser and then it reissues the login request back to the server.

-------Response----------
HTTP/1.0 302 Found
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Last-Modified: Fri, 26 Mar 2004 15:39:12 GMT
Server: Wildcat/v6.0.451.1
Location: http://hdev1/default.wct
X-Powered-By: Wildcat.Net
X-BBS-Name: Santronics Research
Content-Type: text/html
Date: Fri, 26 Mar 2004 10:39:12 GMT

The server now redirects the user to the authenticated login folder,
/hdev/default.wct which it will request from the server. No need to show
these details.

However, at this point I am logged in and I have lots of links, one is a
"who is online" link client?who.wcn, which I will open this up in a second
window.

-------Request-----------
GET /client?who.wcn HTTP/1.1
Referer: http://hdev1/default.wct
Host: hdev1
Connection: Keep-Alive
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=

The authorized request is made for /hdev1/who.wcn

-------Response----------
HTTP/1.0 200 OK
Last-Modified: Fri, 26 Mar 2004 15:41:05 GMT
Server: Wildcat/v6.0.451.1
Cache-Control: no-cache
X-Powered-By: Wildcat.Net
X-BBS-Name: Santronics Research
Content-Type: text/html
Date: Fri, 26 Mar 2004 10:41:06 GMT

The request came in for the who.wcn and the response was a successful 200
response.

What is important here is the the WHO.WCN request was authorized!

Now I am going to close the WHO IS ONLINE window and try the request again.

-------Request-----------
GET /client?who.wcn HTTP/1.1
Referer: http://hdev1/default.wct
Host: hdev1
Connection: Keep-Alive

Notice that this time there is no authorization and the request was made
from the original authenticated login page at /hdev1/default.wct. This is
IMPOSSIBLE state to be in unless the credentials was lost.

-------Response---------- size: 335 time: 70
HTTP/1.0 401 Unauthorized
Expires: -1
Last-Modified: Fri, 26 Mar 2004 15:43:52 GMT
Content-Length: 230
Server: Wildcat/v6.0.451.1
Cache-Control: no-cache
X-Powered-By: Wildcat.Net
Pragma: no-cache
Content-Type: text/html
WWW-Authenticate: basic realm="Santronics Research"
Date: Fri, 26 Mar 2004 10:43:52 GMT

and the server sends once again the 401 response because the request for
who.wcn was not authenticated!

This is a IE bug that has continued for many years. Why can't Microsoft
come straight once and for all with this? What in the hell is going on?
There is no consistency.

Anyway, thanks for your input.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com