Hello,

Client behavior of IE is the required case but for the server side, I 
implemented a two line easier solution:

For POST, keepalive is disabled for 401, 403 and 404. So we eliminate:

1) The need to get the whole data for no reason (would be denied anyway)
2) we do not get garbage data for the next keepalive request. (this would be 
the case when keep-alive is enabled.)

So the code I propose:

procedure THttpConnection.ProcessPost;
var
    Flags : THttpGetFlag;
begin
{$IFNDEF NO_AUTHENTICATION_SUPPORT}
    if not FAuthenticated then
        Flags := hg401
    else
{$ENDIF}
    if FOutsideFlag and (not (hoAllowOutsideRoot in FOptions)) then
        Flags := hg403
    else
        Flags := hg404;
    FAcceptPostedData := FALSE;
    TriggerPostDocument(Flags);
    case Flags of
    hg401:
        begin
            Answer401;
            if FKeepAlive = FALSE then {Bjornar}
                CloseDelayed;
        end;
    hg403:
        begin
            Answer403;
            if FKeepAlive = FALSE then {Bjornar}
                CloseDelayed;
        end;
    hg404:
        begin
            Answer404;
            if FKeepAlive = FALSE then {Bjornar}
                CloseDelayed;
        end;
    hgAcceptData:
        FAcceptPostedData := TRUE;
    else
        if FKeepAlive = FALSE then {Bjornar}
            CloseDelayed;
    end;
end;

Just remove the lines Bjornar added! ;)))

Best Regards,

SZ

----- Original Message ----- 
From: "Tibor Csonka" <[EMAIL PROTECTED]>
To: "ICS support mailing" <twsocket@elists.org>
Sent: Wednesday, March 08, 2006 1:45 PM
Subject: Re: [twsocket] HTTP POST answer code 401


>I think server should read all the request from the client (including
> request data) before responding, even in case of 401 response.
> Apache does the same.
>
> From client side, Internet Explorer also retransmits the whole POST
> data with every request.
>
> Fastream Technologies wrote:
>> Hello,
>>
>> I have a question that I am unsure about POST/require authentication. 
>> When a
>> request arrives at a HTTP server, unless it already contains valid auth
>> data, a 401 response is returned. This is very easy with GET and HEAD as 
>> the
>> request contains data no more than the header. However with POST, the 
>> actual
>> form data which can be more than MBs is uploaded immediately by the 
>> client
>> without waiting for a response (unlike FTP). So my problem is:
>>
>> - consider a POST request with no auth data and of 1MB size
>> - folder is password protected by digest auth
>> - at TriggerPOSTdocument, the server decides 401
>> - however even after the 401 is sent, data keeps coming from the client
>> - the next keep-alive request is bad (garbage!!!)
>>
>> Any idea?
>>
>> Best Regards,
>>
>> SubZero
>>
>>
> -- 
> To unsubscribe or change your settings for TWSocket mailing list
> please goto http://www.elists.org/mailman/listinfo/twsocket
> Visit our website at http://www.overbyte.be 

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to