Maurizio Lotauro wrote:
> Scrive Fastream Technologies <[EMAIL PROTECTED]>:
>> Hello,
>> I am trying to fix digest authentication coded by Peter. We have a big 
>> problem with Internet Explorer. In the setup below, you will see a web page 
>> requested without first sending the "Authorization:" header. Then the server
> I think that it is normal because you need some information from the server 
> before starting the authentication.

It is in fact normal:  The first request does not know that 
authentication is required, so the server responds with 401 and the 
credential requirements.  The second request includes the credentials 
and the server authenticates.  But I don't think this was the problem 
pointed out, was it?

>> 24.01.2006 13:31:57 From Remote
>> HTTP/1.1 401 Authorization Required..WWW-Authenticate: Digest Basic 
>> realm=localhost/, uri="localhost/", 
>> qop="auth,auth-int", nonce="MjAwNi0wMS0yNCAxMzozMTo1Nw==", 
>> opaque="ETimpfFSr8qhbccexiZCu80UjTzQdMUmMm"..Content-Length: 
> Why Basic is right after Digest? It shold be in a separate header line:
> WWW-Authenticate: Digest realm=...
> WWW-Authenticate: Basic realm=...

As far as I know, you may list them in the same header in the order of 
preference.  Setting them in different headers will just squash them 
into a flat list on the client-side.  So these two are the same:

WWW-Authenticate: Digest Basic realm="foo"


WWW-Authenticate Digest realm="foo"
WWW-Authenticate Basic realm="foo"

The problem I see, as SZ pointed out, is that IE7 submitted the wrong 
realm string, which is plainly wrong.  Even though the server seemed to 
have acquiesced to the request, because it returned +200 and content, 
however he said that IE7 crashed after that.

I don't have IE7, so I cannot reproduce the problem -- in fact IE6.0 
seems to work fine, but I haven't been able to test in more than "Basec" 
authentication, as I do not have access to a server supporting Digest at 
the moment.

Of course, it could be an IE7 bug -- perhaps Digest Authentication 
hasn't been fully implemented, or some idiot left the realm hard-coded 
as "Test" while debugging...  In any case, is there any indication as to 
what caused the crash or at what precise moment it occured?

SZ, is there a way you could set up a test server for some of us to test 
with various clients?  Also, could you send me a transcript of the HTTP 
transaction with Firefor or Opera, just to see what is different?


To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to