Solved

HTTP Protocol Header; WWW-Authenticate:, Authorize: and Location: !

Posted on 1997-12-01
12
299 Views
Last Modified: 2013-12-25
I've written a HTTP client which generates its own
HTTP-headers.  Now I'm trying to get information from a
site which requires Username and Password.
When contacting the site in "normal manner", I get the
reply:
HTTP/1.1 401 Authorization Required
Date: Mon, 01 Dec 1997 17:33:15 GMT
Server: Apache/1.2.4
WWW-Authenticate: Basic realm="TDN Ajour"
Connection: close
Content-Type: text/html


... so I send back the following reply:
GET http://www.somehost.com/protected-area/ HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.03 [en] (Win95; I)
Authorization: Basic NXjhiehfiiIHFIihfiHIDhdihfIHDIH  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Content-Type: text/html

... so far so good.  I know that the User:pass is encoded
correctly (PS: the above is just bogus to illustrate),
because I get a new 401 error if I send an invalid username.

But when doing this (sending the correct user:pass),
I get a reply indicating a location change:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 01 Dec 1997 17:34:30 GMT
Server: Apache/1.2.4
Location: http://www.somehost.com/protected/bin2/setuid.pl
Connection: close
Content-Type: text/html

Now I don't know what to do!!!

I've tried sending the same request to the new location URL, that is:
GET http://www.somehost.com/protected/bin2/setuid.pl HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.03 [en] (Win95; I)
Authorization: Basic NXjhiehfiiIHFIihfiHIDhdihfIHDIH  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Content-Type: text/html

...but get get the reply:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 01 Dec 1997 17:34:30 GMT
Server: Apache/1.2.4
Location: http://www.somehost.com/protected/bin2/error.pl
Connection: close
Content-Type: text/html

When contacting http://www.somehost.com/protected/bin2/error.pl
I get a stupid errormessage back....

(PS: It's not as simple as - like - I've forgotten a CRLF
on the end of each line in the HTTP request, but probably
just some info which I've forgotten to add in the
"relocated" request...)

So - should a "relocation" request contain some additional information
to indicate the document which was *originally* requested?
Or have I missed something else here....


(Additional/summary info which might be helpful...:
 From what I can gather, the server closes down the connection after
 sending back a 401 error.
 I've tried to reconnect to the server using the very socket which
 I was using when I got the 401 error, but that wont work.
 (connect() fails!!?)
 What I'm doing to solve this is:
    1. Issuing a closesocket() on the socket.
    2. Creates a new socket
    3. connects to ther site again.
    4. Sends the same request as before with additional
       Authrize: info...
    5. Gets a 302 errer (temporarily moved)
    6. Step 1-5 at the new location...
    7. Gets a new 302 error a.s.o...    )


This is really messing me up bigtime! :)

So... I'm *really* looking forward to some help on this one!!!!!!

    Regards,
            Eljar Ness


0
Comment
Question by:mdhq
  • 8
  • 3
12 Comments
 

Author Comment

by:mdhq
ID: 1855688
If there is some HTTP-tool out there where you can design
a request sequence (headers), it'd help a lot...
(Or maybe I just should write one myself???)

Eljar.
0
 

Author Comment

by:mdhq
ID: 1855689
Edited text of question
0
 

Author Comment

by:mdhq
ID: 1855690
Edited text of question
0
 
LVL 6

Expert Comment

by:Holger101497
ID: 1855691
hmm... I probably can't give you an answer, but I'll try to help a little anyway: What happens if you connect to that site using Netscape and just enter username&PW in the box? Where do you end up? Does the site also display "Temp. moved"?

I also know that there is some way of monitoring all incoming/outgoing information - maybe I can find out for you. That way you could see exactly Netscape sends and just play copycat :-))
0
 

Author Comment

by:mdhq
ID: 1855692
I end up recieving the page which I was requesting!
So obviously, Netscape sends some additional information
which results in correct "relocation"...

If you know of any software (or trick with Netscape) to monitoring out-/incoming info, it'd *really* be great.

Regards,
             mdhq
0
 
LVL 6

Accepted Solution

by:
alamo earned 180 total points
ID: 1855693
Hi again mdhq!

The 2nd redirect would certainly seem to be because the script called by the first redirect failed. The quetsion of course is why?

One possibility: I think you should send the Host: header we talked about before, the called script could conceivably look for it.

Does your test in Netscape involve clicking on a link? The script might expect a refererring link as well, you should send it if applicable. (And keep sending the same referer for the redirects).

Another (less likely) possibility is that the server has previously set a cookie, look in your cookies.txt file.

But you are right, perhaps the easiest way to debug this is to see what Netscape sends. I had assumed from your detailed header descriptions you already had a way, but since you don't here's the only good one I've found: Socket Spy, at http://www.win-tech.com/sktspy.htm. The demo version is time-limited but good enough to see headers (and a full 30-day evaluation is available just by asking).

Hope between these various suggestions (or more likely the socket spy) you can solve your problem... good luck!
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:mdhq
ID: 1855694
Great to run into someone which actually has more experience
than me on this one! :)) Very cool!

Using the socket Spy, which by the way is a GREAT program(!!!),
I discovered that a cookie is sent by *netscape*.
However, I can't find anything about cookies in RFC1945...
(How to design cookies a.s.o. )  
The cookie sent by Netscape is:
  Cookie:.count=6a57a60887e657b60798fa74f3f314b45b156464845505;
  .OMH=252011004446;.count=2 CRLF
....and is sent in the VERY first request to the server.
Which RFC (or other doc) contains the information needed on
how to create unique cookies, and how do *servers* use these cookies?   Are there some code-scheme, and if yes - is there
some source available on this scheme?  
Will all servers store cookies when a client tries to access
protected area?  IF yes:For how long?

Hoping to hear from you in the very near future!!  

    Best regards,
                   mdhq

 

0
 

Author Comment

by:mdhq
ID: 1855695
Great to run into someone which actually has more experience
than me on this one! :)) Very cool!

Using the socket Spy, which by the way is a GREAT program(!!!),
I discovered that a cookie is sent by *netscape*.
However, I can't find anything about cookies in RFC1945...
(How to design cookies a.s.o. )  
The cookie sent by Netscape is:
  Cookie:.count=6a57a60887e657b60798fa74f3f314b45b156464845505;
  .OMH=252011004446;.count=2 CRLF
....and is sent in the VERY first request to the server.
Which RFC (or other doc) contains the information needed on
how to create unique cookies, and how do *servers* use these cookies?   Are there some code-scheme, and if yes - is there
some source available on this scheme?  
Will all servers store cookies when a client tries to access
protected area?  IF yes:For how long?

Hoping to hear from you in the very near future!!  

    Best regards,
                   mdhq

 

0
 
LVL 6

Expert Comment

by:alamo
ID: 1855696
The way cookies work is that the server sends the cookie to the client as part of the header, and then until the cookie expires (which might be as soon as you close the browser) the client is supposed to send the cookie back to the server on every transaction. Servers often use this to track people. For the moment you can probably get away with sending the exact string you saw NS send.

Netscape invented the cookie, their intro is at http://home.netscape.com/newsref/std/cookie_spec.html. The RFC is at http://www.cis.ohio-state.edu/htbin/rfc/rfc2109.html.

Cookies are somewhat complex - NS botched the implementation in some ways (in my opinion), and Microsoft saw fit to implement them with poorly-documented limitations. There are a bunch of sites out there - start at http://www.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/HTTP/Protocol_Specification/Persistent_Cookies/ and go from there :-)
0
 

Author Comment

by:mdhq
ID: 1855697
Are you sure that it's ONLY the server which sends the first
cookie?  Using socketspy, I see that Netscape sends a
cookie in the *very* first request, that is, before any
answer from the server is recieved (I entered the exact URL on
the Location: ... in Netscape)  
Thus - Netscape designed the cookie all by itself ;)  (??)
Anyway - I'll have a looksie at the sites you've suggested.

Again, thanx for good help! :)

Bcnya.

   mdhq



0
 
LVL 6

Expert Comment

by:alamo
ID: 1855698
Yes, I am sure - cookies can persist session-to-session and that cookie was probably set the first time you visited the site.

Netscape 4 keeps it's cookies in the file cookies.txt which is in a subdirectory of the Netscape users directory. Find the file and look at it - you'll find the cookie for that site.
0
 

Author Comment

by:mdhq
ID: 1855699
Nope.  :)
I deleted the cookies.txt file, and Netscape Communicator still
sends a cookie to all hosts in the *very* first request. (??!!)
Give it a shot with socspy32, and you'll see.

The cookie is, however, "shorter":
Cookie: OMH=252011004446
The count= attribute is excluded for some reason.


0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Select distinct 25 60
How do companies protect source code? 4 54
Grunt No Clean Targets 6 59
Web Reply Form - PHP with Upload 4 20
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Read about why website design really matters in today's demanding market.
The viewer will learn how to count occurrences of each item in an array.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now