>>>>> "Alejandro" == Alejandro Fernandez <[EMAIL PROTECTED]> writes:
Alejandro> I am currently using IE to browse my swikis and I am
Alejandro> experiencing a strange effect with the passwords of my
Alejandro> protected swikis. Expected behavior should be that once
Alejandro> you enter you user name and passwords you receive no more
Alejandro> requests for "that session". At least that's how netscape
Alejandro> works and looks fine. However Internet explorer seams to
Alejandro> forget/mix-up passwords when you are browsing more than one
Alejandro> protected swikis at the same time. The fist problem is that
Alejandro> it starts asking for user name and password for every page
Alejandro> (sometimes more than once for each page). The second
Alejandro> inconvenient is that even if you checked the box "remember
Alejandro> passwords" both user name are password are lost.
I know I could get this from looking at the code, but... does each
swiki have a different BasicAuth "realm name"? If it doesn't, then
confused behavior is inevitable.
However, even if the realm names are proper (distinct per password
area), I've seen some behavior that's incorrect from IE with regard
to passwords. It seems that it delivers auth headers to any URL
that's *likely* to be challenged, so that there's only one trip
per hit instead of the officially required two. Normally the sequence
is:
B(rowser) -> S(erver): give me XYZ/1
S -> B: auth required realm "foo"
B asks user for auth with popup box for realm "foo"
B -> S: give me XYZ/1, user abc pass def
S -> B: 200 OK
...
B -> S: give me XYZ/2
S -> B: auth required realm "foo"
B -> S: give me XYZ/2, user abc pass def
S -> B: 200 OK
and that second part repeats, using the cached abc/def for realm foo,
but only for every hit that comes back with auth required realm "foo".
When you visit a new realm, it's:
B -> S: give me PQR/1
S -> B: auth required realm "bar"
B asks user for auth with popup box for realm "bar"
B -> S: give me PQR/1, user ghi pass jkl
S -> B: 200 OK
and so the browser is always supposed to do the first hit *without*
user/pass so that it knows which realm to use for the cache.
Not so with IE. After the first hit, every request works like this:
B -> S: give me XYZ/3, user abc pass def
S -> B: 200 OK
B -> S: give me XYZ/4, user abc pass def
S -> B: 200 OK
and so on. This is a preemptive password sending, and I believe
violates the intent of the spec. Because this is where it gets
into trouble:
B -> S: give me PQR/5, user abc pass def
S -> B: auth required realm "bar"
see, now it's confused. It gave "the password", but it's being
asked for auth! Up comes the pop up box.
Solution, yes, avoid non-standard browsers such as IE. :) In trying to
be clever, they break on standard protocols.
I hope this was clear... :)
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
