Solved

HTTP Protocol Header; WWW-Authenticate:, Authorize: and Location: !

Posted on 1997-12-01
12
306 Views
Last Modified: 2013-12-25
I've written a HTTP client which generates its own
HTTP-headers.  Now I'm trying to get information from a
site which requires Username and Password.
When contacting the site in "normal manner", I get the
reply:
HTTP/1.1 401 Authorization Required
Date: Mon, 01 Dec 1997 17:33:15 GMT
Server: Apache/1.2.4
WWW-Authenticate: Basic realm="TDN Ajour"
Connection: close
Content-Type: text/html


... so I send back the following reply:
GET http://www.somehost.com/protected-area/ HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.03 [en] (Win95; I)
Authorization: Basic NXjhiehfiiIHFIihfiHIDhdihfIHDIH  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Content-Type: text/html

... so far so good.  I know that the User:pass is encoded
correctly (PS: the above is just bogus to illustrate),
because I get a new 401 error if I send an invalid username.

But when doing this (sending the correct user:pass),
I get a reply indicating a location change:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 01 Dec 1997 17:34:30 GMT
Server: Apache/1.2.4
Location: http://www.somehost.com/protected/bin2/setuid.pl
Connection: close
Content-Type: text/html

Now I don't know what to do!!!

I've tried sending the same request to the new location URL, that is:
GET http://www.somehost.com/protected/bin2/setuid.pl HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.03 [en] (Win95; I)
Authorization: Basic NXjhiehfiiIHFIihfiHIDhdihfIHDIH  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Content-Type: text/html

...but get get the reply:
HTTP/1.1 302 Moved Temporarily
Date: Mon, 01 Dec 1997 17:34:30 GMT
Server: Apache/1.2.4
Location: http://www.somehost.com/protected/bin2/error.pl
Connection: close
Content-Type: text/html

When contacting http://www.somehost.com/protected/bin2/error.pl
I get a stupid errormessage back....

(PS: It's not as simple as - like - I've forgotten a CRLF
on the end of each line in the HTTP request, but probably
just some info which I've forgotten to add in the
"relocated" request...)

So - should a "relocation" request contain some additional information
to indicate the document which was *originally* requested?
Or have I missed something else here....


(Additional/summary info which might be helpful...:
 From what I can gather, the server closes down the connection after
 sending back a 401 error.
 I've tried to reconnect to the server using the very socket which
 I was using when I got the 401 error, but that wont work.
 (connect() fails!!?)
 What I'm doing to solve this is:
    1. Issuing a closesocket() on the socket.
    2. Creates a new socket
    3. connects to ther site again.
    4. Sends the same request as before with additional
       Authrize: info...
    5. Gets a 302 errer (temporarily moved)
    6. Step 1-5 at the new location...
    7. Gets a new 302 error a.s.o...    )


This is really messing me up bigtime! :)

So... I'm *really* looking forward to some help on this one!!!!!!

    Regards,
            Eljar Ness


0
Comment
Question by:mdhq
  • 8
  • 3
12 Comments
 

Author Comment

by:mdhq
ID: 1855688
If there is some HTTP-tool out there where you can design
a request sequence (headers), it'd help a lot...
(Or maybe I just should write one myself???)

Eljar.
0
 

Author Comment

by:mdhq
ID: 1855689
Edited text of question
0
 

Author Comment

by:mdhq
ID: 1855690
Edited text of question
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 6

Expert Comment

by:Holger101497
ID: 1855691
hmm... I probably can't give you an answer, but I'll try to help a little anyway: What happens if you connect to that site using Netscape and just enter username&PW in the box? Where do you end up? Does the site also display "Temp. moved"?

I also know that there is some way of monitoring all incoming/outgoing information - maybe I can find out for you. That way you could see exactly Netscape sends and just play copycat :-))
0
 

Author Comment

by:mdhq
ID: 1855692
I end up recieving the page which I was requesting!
So obviously, Netscape sends some additional information
which results in correct "relocation"...

If you know of any software (or trick with Netscape) to monitoring out-/incoming info, it'd *really* be great.

Regards,
             mdhq
0
 
LVL 6

Accepted Solution

by:
alamo earned 180 total points
ID: 1855693
Hi again mdhq!

The 2nd redirect would certainly seem to be because the script called by the first redirect failed. The quetsion of course is why?

One possibility: I think you should send the Host: header we talked about before, the called script could conceivably look for it.

Does your test in Netscape involve clicking on a link? The script might expect a refererring link as well, you should send it if applicable. (And keep sending the same referer for the redirects).

Another (less likely) possibility is that the server has previously set a cookie, look in your cookies.txt file.

But you are right, perhaps the easiest way to debug this is to see what Netscape sends. I had assumed from your detailed header descriptions you already had a way, but since you don't here's the only good one I've found: Socket Spy, at http://www.win-tech.com/sktspy.htm. The demo version is time-limited but good enough to see headers (and a full 30-day evaluation is available just by asking).

Hope between these various suggestions (or more likely the socket spy) you can solve your problem... good luck!
0
 

Author Comment

by:mdhq
ID: 1855694
Great to run into someone which actually has more experience
than me on this one! :)) Very cool!

Using the socket Spy, which by the way is a GREAT program(!!!),
I discovered that a cookie is sent by *netscape*.
However, I can't find anything about cookies in RFC1945...
(How to design cookies a.s.o. )  
The cookie sent by Netscape is:
  Cookie:.count=6a57a60887e657b60798fa74f3f314b45b156464845505;
  .OMH=252011004446;.count=2 CRLF
....and is sent in the VERY first request to the server.
Which RFC (or other doc) contains the information needed on
how to create unique cookies, and how do *servers* use these cookies?   Are there some code-scheme, and if yes - is there
some source available on this scheme?  
Will all servers store cookies when a client tries to access
protected area?  IF yes:For how long?

Hoping to hear from you in the very near future!!  

    Best regards,
                   mdhq

 

0
 

Author Comment

by:mdhq
ID: 1855695
Great to run into someone which actually has more experience
than me on this one! :)) Very cool!

Using the socket Spy, which by the way is a GREAT program(!!!),
I discovered that a cookie is sent by *netscape*.
However, I can't find anything about cookies in RFC1945...
(How to design cookies a.s.o. )  
The cookie sent by Netscape is:
  Cookie:.count=6a57a60887e657b60798fa74f3f314b45b156464845505;
  .OMH=252011004446;.count=2 CRLF
....and is sent in the VERY first request to the server.
Which RFC (or other doc) contains the information needed on
how to create unique cookies, and how do *servers* use these cookies?   Are there some code-scheme, and if yes - is there
some source available on this scheme?  
Will all servers store cookies when a client tries to access
protected area?  IF yes:For how long?

Hoping to hear from you in the very near future!!  

    Best regards,
                   mdhq

 

0
 
LVL 6

Expert Comment

by:alamo
ID: 1855696
The way cookies work is that the server sends the cookie to the client as part of the header, and then until the cookie expires (which might be as soon as you close the browser) the client is supposed to send the cookie back to the server on every transaction. Servers often use this to track people. For the moment you can probably get away with sending the exact string you saw NS send.

Netscape invented the cookie, their intro is at http://home.netscape.com/newsref/std/cookie_spec.html. The RFC is at http://www.cis.ohio-state.edu/htbin/rfc/rfc2109.html.

Cookies are somewhat complex - NS botched the implementation in some ways (in my opinion), and Microsoft saw fit to implement them with poorly-documented limitations. There are a bunch of sites out there - start at http://www.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/HTTP/Protocol_Specification/Persistent_Cookies/ and go from there :-)
0
 

Author Comment

by:mdhq
ID: 1855697
Are you sure that it's ONLY the server which sends the first
cookie?  Using socketspy, I see that Netscape sends a
cookie in the *very* first request, that is, before any
answer from the server is recieved (I entered the exact URL on
the Location: ... in Netscape)  
Thus - Netscape designed the cookie all by itself ;)  (??)
Anyway - I'll have a looksie at the sites you've suggested.

Again, thanx for good help! :)

Bcnya.

   mdhq



0
 
LVL 6

Expert Comment

by:alamo
ID: 1855698
Yes, I am sure - cookies can persist session-to-session and that cookie was probably set the first time you visited the site.

Netscape 4 keeps it's cookies in the file cookies.txt which is in a subdirectory of the Netscape users directory. Find the file and look at it - you'll find the cookie for that site.
0
 

Author Comment

by:mdhq
ID: 1855699
Nope.  :)
I deleted the cookies.txt file, and Netscape Communicator still
sends a cookie to all hosts in the *very* first request. (??!!)
Give it a shot with socspy32, and you'll see.

The cookie is, however, "shorter":
Cookie: OMH=252011004446
The count= attribute is excluded for some reason.


0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will learn how to count occurrences of each item in an array.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question