I'm not sure what browser you're using where each authenticated page request requires two hits, but IE will send authentication information for all subsequent hits in the same area without being asked. The first request obviously is rejected on the grounds that no authentication information is provided, but after that the browser should know to send it automatically.
I think you're mixing up cookies and auth here, or
perhaps the caching of auth performed by a browser.
A browser is not supposed to sent
auth unless challenged. IE remembers that you auth'ed in an area (against
a particular realm name), and resends
its stored auth in the same area, but it can't know which auth to send until
it gets a challenge with the realm name. And it can't get the challenge unless
it sends it without auth the first time.
I just verified this in a basicauth protected area of my website. iCab gets it
right, waiting for the challenge on each hit. And yes, NS and IE both do it
wrong, sending an auth before being challenged. How sucky.
How do they know which realm to send up? Or do they just do the most recent
realm? That could be a security hole.
Ahh, RFC2617 agrees with both of us {grin}:
A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
Similarly, when a client sends a request to a proxy, it may reuse a
userid and password in the Proxy-Authorization header field without
receiving another challenge from the proxy server. See section 4 for
security considerations associated with Basic authentication.
Hmm. I did not know the preemptive auth send. Thanks for pointing that out to me.
-- Randal L. Schwartz, Perl hacker
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|