Hi folks,
I've observed three bugs in IE6's digest proxy authentication implemention.
Is anyone able to confirm that it's Not Just Me, and whether any good
workarounds are already out there?
1. Double-quote-marks in URLs. IE sends a digest-uri-value that's improperly
escaped, as in (when visiting http://localhost/test.html"foo):
Digest username="User Name", realm="Login", qop="auth", algorithm="MD5", uri="/test.html"foo", nonce="q3...
vs Firefox which sends:
Digest username="User Name", realm="Login", nonce="42yWQuDPGw/gebJ8", uri="/test.html%22foo", response="666...
I've worked around this by means of a hack in authenticateDigestDecodeAuth.
2. Never reuses a nonce - always sends a request, gets a 407 challenge
with a new nonce value, then reissues the request with the correct
Proxy-Authorization header; this doubles the number of actual HTTP
requests; is there a workaround?
3. IE gets confused when a website uses a 401 authentication challenge.
In this case, it prompts for and sends the Authorization: header,
but then repeatedly re-prompts the user for their proxy credentials.
I've worked around this by inventing the following access list:
acl msie-win-browser browser MSIE.*Windows
acl basic-auth auth_regex Basic
auth_param digest access deny msie-win-browser basic-auth
auth_param digest access allow all
Yes, I had to invent "auth_regex" and "auth_param digest access".
This ACL effectively downgrades the user to using basic proxy auth
if using basic www auth.
I'd especially like a solution for bug 3, because the workaround is
ugly, insecure and expensive. I have a case open with Microsoft Partner
Support right now.
Oddly enough, IE5 on the Mac doesn't have any of these symptoms.
Any takers?
-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109Received on Thu May 26 2005 - 18:59:44 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:03 MDT