Re: [twsocket] HTTP POST answer code 401

2006-03-08 Thread Tibor Csonka
I think server should read all the request from the client (including 
request data) before responding, even in case of 401 response.
Apache does the same.

 From client side, Internet Explorer also retransmits the whole POST 
data with every request.

Fastream Technologies wrote:
 Hello,

 I have a question that I am unsure about POST/require authentication. When a 
 request arrives at a HTTP server, unless it already contains valid auth 
 data, a 401 response is returned. This is very easy with GET and HEAD as the 
 request contains data no more than the header. However with POST, the actual 
 form data which can be more than MBs is uploaded immediately by the client 
 without waiting for a response (unlike FTP). So my problem is:

 - consider a POST request with no auth data and of 1MB size
 - folder is password protected by digest auth
 - at TriggerPOSTdocument, the server decides 401
 - however even after the 401 is sent, data keeps coming from the client
 - the next keep-alive request is bad (garbage!!!)

 Any idea?

 Best Regards,

 SubZero 

   
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] HTTP POST answer code 401

2006-03-08 Thread Fastream Technologies
This contradicts with the way ICS works. In ICS, you either read the data by 
setting FAcceptpostdata = true by setting the accept flag in 
TriggerPostDocument OR you simply send 401 directly without reading any of 
the data by setting the same flag!!!

Francois, what do you think?

Regards,

SZ

- Original Message - 
From: Tibor Csonka [EMAIL PROTECTED]
To: ICS support mailing twsocket@elists.org
Sent: Wednesday, March 08, 2006 1:45 PM
Subject: Re: [twsocket] HTTP POST answer code 401


I think server should read all the request from the client (including
 request data) before responding, even in case of 401 response.
 Apache does the same.

 From client side, Internet Explorer also retransmits the whole POST
 data with every request.

 Fastream Technologies wrote:
 Hello,

 I have a question that I am unsure about POST/require authentication. 
 When a
 request arrives at a HTTP server, unless it already contains valid auth
 data, a 401 response is returned. This is very easy with GET and HEAD as 
 the
 request contains data no more than the header. However with POST, the 
 actual
 form data which can be more than MBs is uploaded immediately by the 
 client
 without waiting for a response (unlike FTP). So my problem is:

 - consider a POST request with no auth data and of 1MB size
 - folder is password protected by digest auth
 - at TriggerPOSTdocument, the server decides 401
 - however even after the 401 is sent, data keeps coming from the client
 - the next keep-alive request is bad (garbage!!!)

 Any idea?

 Best Regards,

 SubZero


 -- 
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://www.elists.org/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be 

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] HTTP POST answer code 401

2006-03-08 Thread Guillaume MAISON
Fastream Technologies a écrit :
 This contradicts with the way ICS works. In ICS, you either read the data by 
 setting FAcceptpostdata = true by setting the accept flag in 
 TriggerPostDocument OR you simply send 401 directly without reading any of 
 the data by setting the same flag!!!

i haven't look at  yet, but does any RFC mention something about it ?


-- 

Guillaume MAISON - [EMAIL PROTECTED]
83, Cours Victor Hugo
47000 AGEN
Tél : 05 53 87 91 48 - Fax : 05 53 68 73 50
e-mail : [EMAIL PROTECTED] - Web : http://nauteus.com

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] HTTP POST answer code 401

2006-03-08 Thread Fastream Technologies
I have seen nothing specific to this matter in RFC2616.

Regards,

SZ

- Original Message - 
From: Guillaume MAISON [EMAIL PROTECTED]
To: ICS support mailing twsocket@elists.org
Sent: Wednesday, March 08, 2006 1:57 PM
Subject: Re: [twsocket] HTTP POST answer code 401


Fastream Technologies a écrit :
 This contradicts with the way ICS works. In ICS, you either read the data 
 by
 setting FAcceptpostdata = true by setting the accept flag in
 TriggerPostDocument OR you simply send 401 directly without reading any of
 the data by setting the same flag!!!

i haven't look at  yet, but does any RFC mention something about it ?


-- 

Guillaume MAISON - [EMAIL PROTECTED]
83, Cours Victor Hugo
47000 AGEN
Tél : 05 53 87 91 48 - Fax : 05 53 68 73 50
e-mail : [EMAIL PROTECTED] - Web : http://nauteus.com

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be 

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] HTTP POST answer code 401

2006-03-08 Thread Fastream Technologies
Hello,

Client behavior of IE is the required case but for the server side, I 
implemented a two line easier solution:

For POST, keepalive is disabled for 401, 403 and 404. So we eliminate:

1) The need to get the whole data for no reason (would be denied anyway)
2) we do not get garbage data for the next keepalive request. (this would be 
the case when keep-alive is enabled.)

So the code I propose:

procedure THttpConnection.ProcessPost;
var
Flags : THttpGetFlag;
begin
{$IFNDEF NO_AUTHENTICATION_SUPPORT}
if not FAuthenticated then
Flags := hg401
else
{$ENDIF}
if FOutsideFlag and (not (hoAllowOutsideRoot in FOptions)) then
Flags := hg403
else
Flags := hg404;
FAcceptPostedData := FALSE;
TriggerPostDocument(Flags);
case Flags of
hg401:
begin
Answer401;
if FKeepAlive = FALSE then {Bjornar}
CloseDelayed;
end;
hg403:
begin
Answer403;
if FKeepAlive = FALSE then {Bjornar}
CloseDelayed;
end;
hg404:
begin
Answer404;
if FKeepAlive = FALSE then {Bjornar}
CloseDelayed;
end;
hgAcceptData:
FAcceptPostedData := TRUE;
else
if FKeepAlive = FALSE then {Bjornar}
CloseDelayed;
end;
end;

Just remove the lines Bjornar added! ;)))

Best Regards,

SZ

- Original Message - 
From: Tibor Csonka [EMAIL PROTECTED]
To: ICS support mailing twsocket@elists.org
Sent: Wednesday, March 08, 2006 1:45 PM
Subject: Re: [twsocket] HTTP POST answer code 401


I think server should read all the request from the client (including
 request data) before responding, even in case of 401 response.
 Apache does the same.

 From client side, Internet Explorer also retransmits the whole POST
 data with every request.

 Fastream Technologies wrote:
 Hello,

 I have a question that I am unsure about POST/require authentication. 
 When a
 request arrives at a HTTP server, unless it already contains valid auth
 data, a 401 response is returned. This is very easy with GET and HEAD as 
 the
 request contains data no more than the header. However with POST, the 
 actual
 form data which can be more than MBs is uploaded immediately by the 
 client
 without waiting for a response (unlike FTP). So my problem is:

 - consider a POST request with no auth data and of 1MB size
 - folder is password protected by digest auth
 - at TriggerPOSTdocument, the server decides 401
 - however even after the 401 is sent, data keeps coming from the client
 - the next keep-alive request is bad (garbage!!!)

 Any idea?

 Best Regards,

 SubZero


 -- 
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://www.elists.org/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be 

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be