Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
I'm not sure what browser you're using where each authenticated page request requires two hits, but IE will send authentication information for all subsequent hits in the same area without being asked. The first request obviously is rejected on the grounds that no authentication information is provided, but after that the browser should know to send it automatically.
I think you're mixing up cookies and auth here, or perhaps the caching of auth performed by a browser. A browser is not supposed to sent auth unless challenged. IE remembers that you auth'ed in an area (against a particular realm name), and resends its stored auth in the same area, but it can't know which auth to send until it gets a challenge with the realm name. And it can't get the challenge unless it sends it without auth the first time.

I just verified this in a basicauth protected area of my website. iCab gets it right, waiting for the challenge on each hit. And yes, NS and IE both do it wrong, sending an auth before being challenged. How sucky. How do they know which realm to send up? Or do they just do the most recent realm? That could be a security hole.

Ahh, RFC2617 agrees with both of us {grin}:

A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server. Similarly, when a client sends a request to a proxy, it may reuse a userid and password in the Proxy-Authorization header field without receiving another challenge from the proxy server. See section 4 for security considerations associated with Basic authentication.
Hmm. I did not know the preemptive auth send. Thanks for pointing that out to me.

-- Randal L. Schwartz, Perl hacker

In reply to RE: RE: RE: Answer: Security: Cookies vs HTTP authentication by merlyn
in thread Security: Cookies vs HTTP authentication by rodry

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2024-04-19 22:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found