|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS AuthenticationAfter configuring Basic Authentication in IIS6, when I try to access a
resource, it returns a 401 and ask for credentials. Now when i give the credential, it allows the resource. After this, I try to access another resource in the same virtual server, it allows the access to the resource. I was assuming that the server sends a cookie to maintain the session. But I don't see Set:Cookie in response header or Cookie in request header. Basically, there's no cookie involved at all. For every request, the Authorization header with the same encrypted value ( different in the case of Digest Authentication) is present. Can somebody tell me where this value of Authorization header is stored. The browser remembers it once authenticated in the first request. Thanks, Robertis There is no cookie involved. With Basic Authentication, the data in the
Authorization: header isn't encrypted - it's just Base64 encoded, and includes your username and password. Once you have succesfully authenticated, the browser (IE or Firefox, or whatever) continues to send the same authorization data for every subsequent request to the same website until either: a) the server sends back an Access Denied (in which case you are prompted to supply alternate credentials) b) you close your browser Cheers Ken Show quoteHide quote "Robertis Tongbram" <RobertisTongb***@discussions.microsoft.com> wrote in message news:D2C40285-E110-4317-97FF-6006BAE12FDB@microsoft.com... > After configuring Basic Authentication in IIS6, when I try to access a > resource, it returns a 401 and ask for credentials. Now when i give the > credential, it allows the resource. After this, I try to access another > resource in the same virtual server, it allows the access to the resource. > I was assuming that the server sends a cookie to maintain the session. > But I don't see Set:Cookie in response header or Cookie in request header. > Basically, there's no cookie involved at all. For every request, the > Authorization header with the same encrypted value ( different in the case > of > Digest Authentication) is present. > Can somebody tell me where this value of Authorization header is stored. > The > browser remembers it once authenticated in the first request. > > Thanks, > Robertis Thanks a lot Ken.
I was interested particularly when the browser remembers the credentials. I started thinking on these lines when i assumed a use-case when this browser-remembering-credential thingy might start interfering (or overriding) any authorization (or authentication) policies at the server side. I was assuming browser should also act stateless ( as in stateless HTTP), unless server says something. PS: I said 'encrypted' Authorization header so it is more generic( like Digest auth ) Anyways, thanks for your time. Robertis Show quoteHide quote "Ken Schaefer" wrote: > There is no cookie involved. With Basic Authentication, the data in the > Authorization: header isn't encrypted - it's just Base64 encoded, and > includes your username and password. > > Once you have succesfully authenticated, the browser (IE or Firefox, or > whatever) continues to send the same authorization data for every subsequent > request to the same website until either: > a) the server sends back an Access Denied (in which case you are prompted to > supply alternate credentials) > b) you close your browser > > Cheers > Ken > > "Robertis Tongbram" <RobertisTongb***@discussions.microsoft.com> wrote in > message news:D2C40285-E110-4317-97FF-6006BAE12FDB@microsoft.com... > > After configuring Basic Authentication in IIS6, when I try to access a > > resource, it returns a 401 and ask for credentials. Now when i give the > > credential, it allows the resource. After this, I try to access another > > resource in the same virtual server, it allows the access to the resource. > > I was assuming that the server sends a cookie to maintain the session. > > But I don't see Set:Cookie in response header or Cookie in request header. > > Basically, there's no cookie involved at all. For every request, the > > Authorization header with the same encrypted value ( different in the case > > of > > Digest Authentication) is present. > > Can somebody tell me where this value of Authorization header is stored. > > The > > browser remembers it once authenticated in the first request. > > > > Thanks, > > Robertis > > > 
Other interesting topics
IIS7 with multiple web sites - Windows Auth only working on localhost
Could not load type 'System.Web.Security.AccessRoleProvider' UNC Share causing Internal Server Error 500 Win2K3, IIS6, and IE6 - Can't get IWA/NTLM to work Virus in IFRAME injected into our ASP pages (downloader trojan on client) Login not require a domain in IIS hosted site? Dual https on same server not working notepad will not save .config file in iis7 ITS Windows 2003 IIS 6.0 SSL - error 404 Disable or Control certificate auto-import? |
|||||||||||||||||||||||
