[nycphp-talk] Definitely A Digest Request bug in IE
Michele Waldman
mmwaldman at nyc.rr.com
Tue Feb 3 19:30:58 EST 2009
This can't possibly be the way a request should work.
Don't try this at home.
If this is misinformation, my apologies in advanced, but I've tested it out
like 30 times using the originally install http on my server.
When I was just testing my variation of mod_auth_digest, I found IE 7 may
have a bug or odd behavior.
The first time it requests login.php in one realm, it's fine.
The first times requests logoff.php in another realm, it's fine.
The second time it requests login.php, it uses the user name and realm from
logoff.php in the request instead of the user name for login.php which is in
the dialog box by default. Typing it in doesn't make a difference.
When the authorization fails and the user re-enters his/her info, it sends
another request with the correct user name and realm, but this time it
doesn't recognize the response from http.
It prompts a third time for good measure.
You can go back to the logoff.php page without authorization.
I'm going round and round with this.
I tested out the original mod_auth_digest file in IE, changing from realm to
realm with that module produced the same problem as I was seeing in my
variation.
I was using:
<Files login.php>
AuthType Digest
AuthName "login"
AuthUserFile /path/.htpasswd
AuthDigestDomain https://domain/account/
require valid-user
</Files>
<Files logoff.php>
AuthType Digest
AuthName "logoff"
AuthUserFile /path/.htpasswd
AuthDigestDomain https://domain/account/
require valid-user
</Files>
The contents of login.php and logoff.php are <?php phpinfo(); ?>
.htpassword contains two users of the appropriate realm created with
.htdigest.
In ie,
I request login.php
I request logoff.php
I request login.php, boom, two 3 dialog boxes and fails authorization.
I request logoff.php, it displays.
I'm going to try to find a work around for this.
Anyone interested is welcome to try this little test out or explain to me
this is how digest works.
I know what's in the actual request values because I printed them out from
mod_auth_digest.
In Firefox, this is not the behavior. Each previously logged into page
can't be viewed.
I would prefer re-authenication every time the realm is changed for the same
AuthDigestDomain.
It sets the first realm for the domain. When you log into another page in a
different realm in the same domain, it doesn't change the realm. Other
subsequent page requests are made with the initial realm plus you have to
get the user name from $_SERVER["PHP_AUTH_DIGEST"] because
$_SERVER[AUTH_USER_NAME] isn't set. Arrggghh!
My stinking changes to make mod_auth_digest work with mysql worked.
Unfortunately, mod_auth_digest seems to not be implemented correctly on the
browsers.
Michele
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20090203/ce6bd28f/attachment.html>
More information about the talk
mailing list