Heiko Sommerfeldt wrote:
> The same happens here with IE8beta too.
> Therefore I answer with 403 after such failed login.

It's a bug in THttpServer :(

RFC 2617                  HTTP Authentication                  June 1999

     A flag, indicating that the previous request from the client was
     rejected because the nonce value was stale. If stale is TRUE
     (case-insensitive), the client may wish to simply retry the request
     with a new encrypted response, without reprompting the user for a
     new username and password. The server should only set stale to TRUE
     if it receives a request for which the nonce is invalid but with a
     valid digest for that nonce (indicating that the client knows the
     correct username/password). If stale is FALSE, or anything other
     than TRUE, or the stale directive is not present, the username
     and/or password are invalid, and new values must be obtained.

stale is always set to TRUE by the component which is a bug,

I suggest the following fix:

in (OverbyteIcs)HttpSrv.pas,
function THttpConnection.AuthDigestGetParams: Boolean;
        if FAuthDigestQop <> 'auth-int' then
        { whatever it is }

    // FAuthDigestStale := TRUE;   <== outcomment { AG }
    if (LastTime + t1) > t2 then
        Result := TRUE
    else                           <== add { AG }
        FAuthDigestStale := TRUE;  <== add { AG }

What do you think?

Arno Garrels [TeamICS]

To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to