Heiko Sommerfeldt wrote:
> The same happens here with IE8beta too.
> Therefore I answer with 403 after such failed login.
It's a bug in THttpServer :(
[..]
RFC 2617 HTTP Authentication June 1999
stale
A flag, indicating that the previous request from the client was
rejected because the nonce value was stale. If stale is TRUE
(case-insensitive), the client may wish to simply retry the request
with a new encrypted response, without reprompting the user for a
new username and password. The server should only set stale to TRUE
if it receives a request for which the nonce is invalid but with a
valid digest for that nonce (indicating that the client knows the
correct username/password). If stale is FALSE, or anything other
than TRUE, or the stale directive is not present, the username
and/or password are invalid, and new values must be obtained.
[..]
stale is always set to TRUE by the component which is a bug,
I suggest the following fix:
in (OverbyteIcs)HttpSrv.pas,
function THttpConnection.AuthDigestGetParams: Boolean;
..
daAuthInt:
if FAuthDigestQop <> 'auth-int' then
Exit;
daBoth:
{ whatever it is }
end;
// FAuthDigestStale := TRUE; <== outcomment { AG }
..
if (LastTime + t1) > t2 then
Result := TRUE
else <== add { AG }
FAuthDigestStale := TRUE; <== add { AG }
What do you think?
--
Arno Garrels [TeamICS]
http://www.overbyte.be/eng/overbyte/teamics.html
end;
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
