[Mono-bugs] [Bug 321212] HttpWebRequest must not send credentials on first request

Tue Nov 6 17:18:27 EST 2007

https://bugzilla.novell.com/show_bug.cgi?id=321212#c4

Geoff Norton <gnorton at novell.com> changed:

           What    |Removed                                         |Added
----------------------------------------------------------------------------
                 CC|                                                |gnorton at novell.com

--- Comment #4 from Geoff Norton <gnorton at novell.com>  2007-11-06 15:18:27 MST ---
I spent a bit of time on this and the reporter is correct.  PreAuthenticate
acts the same on 1.1 and 2.0 but it does NOT blindly send the credentials; it
causes the following behaviour

WITHOUT PREAUTH:
(HttpWebRequest Object #1)
C: GET /someUrl
S: 401 Auth Required
C: GET /someUrl (with authentication headers)
S: 200 OK

(HttpWebRequestObject #2)
C: GET /someOtherUrl
S: 401 Auth Required
C: GET /someOtherUrl (with authentication headers)
S: 200 OK

WITH PREAUTH:
(HttpWebRequest Object #1)
C: GET /someUrl
S: 401 AuthRequired
C: GET /someUrl (with authentication headers)
S: 200 OK

(HttpWebRequest Object #2)
C: GET /someOtherUrl (with authentication headers)
S: 200 OK

There are a few caveats.  Domain has to match and the path has to match up to
the containing folder of the first request.  Also both request #1 and #2 must
have the same credentials and both have to set PreAuthenticate = true. 
Microsoft must keep some sort of state cache of PreAuth requests and only skip
getting the 401 when those criteria match.

We still need to determine wether these are appdomain specific (I assume they
are) and what lifecycle they have (if any)

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.