The bug was that if you do an unauthenticated POST, PUT, or DELETE, the Form Authentication valve was trying to do a POST, PUT, or DELETE to the login form. The correct behaviour IMHO is to always GET the login form and return it as a response to the unauthenticated request of any kind. Then, once the form is POSTed and authentication is successful, the original request whatever it may have been, should be replayed. Right?
On Friday, October 07, 2011 16:07:20 Nicholas Sushkin wrote: > Before being forwarded to login page, the request is saved and only then > turned into GET, before dispatching the forward to the login page. After > login form is submitted, the original request is restored from the saved > state and is replayed. -- Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations Open Finance - Secure, Accurate, Industrial Strength Aggregation <http://www.openfinance.com>
smime.p7s
Description: S/MIME cryptographic signature
