RE: [SA-list] http/auth checks not working after upgrade to v5

[Dirk Bulinckx]

To give the list an update on how this continued.

 

What I could see in the traces was that indeed in v4 the request was handled diffrently then in v5.

In v4 we did send together with the GET request already the authentication info (basic authentication), in v5 we don't do that.  We send a normal GET and then IF authentication is requested by the server then we send the authentication info.  Based on the RFC that is indeed the correct way to work.

 

Authentication is based on "challenge/response".  This means that the client (browser/Servers Alive) should only send out authentication info (response) when it will get a challenge (from the server), this challenge includes the different ways the server can authenticate.

 

The server checked by Phil did NOT send any authentication challenge (401 frame) but just accepted the request (without authentication).

 

 

A 2nd issue he had with a URL check was indeed a problem within Servers Alive.  The current version (release version that is) has a problem when sending a username in the form of domain\username.  This problem was fixed in one of the first beta builds after the release of 5.0.1748. 

The latest beta build(s) ofcourse also include this fix, you can download that beta from http://Beta.woodstone.nu/soft/salive51.exe

 

 

 

 

Dirk.

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Bulinckx
Sent: Friday, November 11, 2005 10:54 AM
To: salive@woodstone.nu
Subject: RE: [SA-list] http/auth checks not working after upgrade to v5

In v4 you could enable the use of cookies, in v5 that is always done.  BUT those are session cookies (in both cases) not cookies that are kept (on disk) over several sessions.

 

Within the answer of the server there is NO authentication request nor any cookie info.  I realy don't see what we're doing wrong.

 

If you still have a v4.x installed, then let it do a check of the exact same URL and make a network trace (netmon - ethereal) of it and then do the same with v5.  Maybe even one were we can see IE doing this.  And send me (off list) the 3 network traces.  We can then compare to see what the difference is.

 

Dirk.

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deadman, Phil
Sent: Friday, November 11, 2005 10:41 AM
To: salive@woodstone.nu
Subject: RE: [SA-list] http/auth checks not working after upgrade to v5

Wasn't there something in v4 about using cookies? If this isn't basic or NTLM it must be cookie-based authentication.

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dirk Bulinckx
Sent: 10 November 2005 22:13
To: salive@woodstone.nu
Subject: RE: [SA-list] http/auth checks not working after upgrade to v5

A password challenge page is not a real HTTP password page. 

Within a normal GET request you can only do authentication if the server send a authentication request and and authentication request is not an HTML page like the one you're seeing.

I don't see how v4 could have done authentication without an authentication request that is server based.

 

Dirk.