- From: Simon Fell <soap@zaks.demon.co.uk>
- Date: Sat, 01 Jun 2002 18:56:02 -0700
- To: Mark Baker <distobj@acm.org>
- Cc: www-talk@w3.org
- Message-ID: <q2uifu4vlqej3s8c7pm4qtglo8rln8jf7l@4ax.com>
Hi Mark, On Sat, 1 Jun 2002 21:23:10 -0400, in soap you wrote: >Hi Simon, > >On Sat, Jun 01, 2002 at 03:45:12PM -0700, Simon Fell wrote: >> >> Hi, >> >> I'm trying to work out how authentication and persistent connections >> interact. I initially thought that the authentication header will only >> apply to the scope of that particular HTTP exchange, however I'm >> seeing with IIS that subsequent requests on the same connection >> continue to be treated as authenticated even if the following request >> doesn't specify an authentication header. >> >> Can anyone clarify what the expected behavior should be ? > >If that's what's happening, IIS is broken. The connection style >doesn't impact the statelessness of the interaction. > >Are you sure that's what you're observing? > >MB I Just double checked everything and this I'm definitely seeing this. I have IIS running on W2K Server with SP2, and have a page configured for authenticated access only. I have a test HTTP/1.1 client that is POSTing to this page. If i do 2 consecutive POSTs the first with an Authorization header and the second without one, the second POST succeeds, rather than getting the expected 401. If i swap the two POSTs around, so that the first one doesn't have the Authorization header, then i do get the expected 401. I've attached a capture of the HTTP traffic [from Ethereal] Cheers Simon
Attachments
- text/plain attachment: auth.txt
Received on Saturday, 1 June 2002 21:55:19 UTC