Label Cloud

Thursday, March 08, 2007

WinInet and WinHTTP HTTPS Sessions send empty Authentication header

This issue I've seen a while back, and had a pleasure of seeing again today.

HTTP uses Authentication: header to pass authentication information during authentication. The information can be easily decoded to retrieve UserId and password for Basic authentication. Authentication header is Base64 encoded and NOT encrypted. (That's a good reason for NOT using basic authentication without SSL). The handshake is as follows:

  1. Client submits a request without authentication header
  2. Server responds with 401 and a WWW-Authenticate header that specifies allowed authentication schemes
  3. Client resends the original request and provides Authentication header that includes authentication credentials.

Usual code on the server is -

If Not Authenticated

If Authentication header does not exists or empty,

return 401

Else

authorize

Decode Authenticated header to retrieve UserId for ......

What I've seen is that once the connection is established, the server considers the client authenticated, but the client (WinInet, WinHTTP, etc) might pass an empty authentication header. That means that if the code above will skip authentication, however, will not be able to retrieve the UserId. I wasn't able to find a lot of documentation on this, Actually only one good link: http://www1.tools.ietf.org/html/draft-johansson-http-gss-00. There are two ways that we were able to solve the problem. The easy way:

If Authentication header does not exists or empty,

return 401

Else

If Not Authenticated

authorize

Decode Authenticated header to retrieve UserId for ......

And the more complicated way:

If Not Authenticated

If Authentication header does not exists or empty,

return 401

Else

authorize

Store UserId in connection context

Use connection context to retrieve UserId for ......

Second solution is faster since it caches authentication and UserId. However, it is a more complicated solution.


Share/Save/Bookmark

1 comment:

Anonymous said...

hmm.. love this post!

Directory of Computers/Tech Blogs