Re: HTTP_AUTHORIZATION header
- From: AWillemsen <AWillemsen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 26 Mar 2006 14:49:39 -0800
I do not believe IIS is distinguishing between the two cases you mention. If
I authenticate by displaying the HTML page containing the form, then it does
not matter whether I execute the form or type the address of the CGI in -
both result in the HTTP_AUTHORIZATION header not being sent to the CGI. IIS
passes the AUTH_TYPE and AUTH_USER (for Basic) headers, so the browser has
definitely authenticated. But it does not pass the HTTP_AUTHORIZATION header
on the first form or CGI execution. This happens in both IE 6 and Firefox
1.5, and on multiple client machines, so I don't think it's client variation.
I have also tried it on two other server machines, both running IIS 5.0, and
it happens there too.
I do understand the authentication protocols involved, and I do expect the
HTTP_AUTHORIZATION header to be sent on every request, regardless of whether
Basic or NTLM is used. And this does indeed happen - once the header is
sent, it is always sent.
From what I've seen, this does appear to be a bug in IIS...
"David Wang [Msft]" wrote:
Can you explain how IIS can distinguish between you directly typing in the.
address of the CGI in the address bar vs the FORM submit.
The answer is -- IIS cannot distinguish between those two cases. Thus, if
you see different behavior in those two situations, it's either client-side
variation or misunderstanding of the authentication protocol involved.
For NTLM, I do not expect HTTP Authorization header to be sent on the second
and subsequent requests after the initial negotiation completes.
For Basic, I expect the HTTP Authorization header to be sent on all
requests.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"AWillemsen" <AWillemsen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:47D24246-0A0F-4592-BA23-91A29232F5CF@xxxxxxxxxxxxxxxx
I am running IIS 5.1 on XP SP2. I have two virtual directories in the same
Web site that have anonymous access disabled - one contains HTML pages
and
the other contains a CGI executable. One of the HTML pages has a form
which
executes the CGI.
If I open a new browser window, and then open the HTML page with the form,
I
get asked for credentials (as expected). I then submit the form which
executes the CGI. The first 2 times I do this, IIS passes to the CGI the
AUTH_TYPE variable with the correct value (Basic or Negotiate, depending
on
which authentication scheme I have set up) but it does not pass the
HTTP_AUTHORIZATION variable. The 3rd and subsequent times, both variables
get passed.
Is this a bug in IIS?
Note that I tried authenticating against the CGI first, by opening a new
browser window and typing in the address of the CGI in the address bar.
This
asked me for credentials, as expected. If I then go to the HTML form and
submit it, the HTTP_AUTHORIZATION header gets passed to the CGI every
time.
- Follow-Ups:
- Re: HTTP_AUTHORIZATION header
- From: David Wang [Msft]
- Re: HTTP_AUTHORIZATION header
- References:
- Re: HTTP_AUTHORIZATION header
- From: David Wang [Msft]
- Re: HTTP_AUTHORIZATION header
- Prev by Date: Re: Can't audit security events
- Next by Date: Re: HTTP_AUTHORIZATION header
- Previous by thread: Re: HTTP_AUTHORIZATION header
- Next by thread: Re: HTTP_AUTHORIZATION header
- Index(es):
Relevant Pages
|
