W3C home > Mailing lists > Public > www-talk@w3.org > May to June 2002

Re: authentication scope with persistant connections

From: Simon Fell <soap@zaks.demon.co.uk>
Date: Sat, 01 Jun 2002 18:56:02 -0700
To: Mark Baker <distobj@acm.org>
Cc: www-talk@w3.org
Message-ID: <q2uifu4vlqej3s8c7pm4qtglo8rln8jf7l@4ax.com>
Hi Mark,

On Sat, 1 Jun 2002 21:23:10 -0400, in soap you wrote:

>Hi Simon,
>
>On Sat, Jun 01, 2002 at 03:45:12PM -0700, Simon Fell wrote:
>> 
>> Hi,
>> 
>> I'm trying to work out how authentication and persistent connections
>> interact. I initially thought that the authentication header will only
>> apply to the scope of that particular HTTP exchange, however I'm
>> seeing with IIS that subsequent requests on the same connection
>> continue to be treated as authenticated even if the following request
>> doesn't specify an authentication header. 
>> 
>> Can anyone clarify what the expected behavior should be ?
>
>If that's what's happening, IIS is broken.  The connection style
>doesn't impact the statelessness of the interaction.
>
>Are you sure that's what you're observing?
>
>MB

I Just double checked everything and this I'm definitely seeing this.
I have IIS running on W2K Server with SP2, and have a page configured
for authenticated access only. I have a test HTTP/1.1 client that is
POSTing to this page. If i do 2 consecutive POSTs the first with an
Authorization header and the second without one, the second POST
succeeds, rather than getting the expected 401. If i swap the two
POSTs around, so that the first one doesn't have the Authorization
header, then i do get the expected 401. I've attached a capture of the
HTTP traffic [from Ethereal]

Cheers
Simon


Received on Saturday, 1 June 2002 21:55:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:27 GMT