|Summary:||digest authentication fails to handle a URL of the form http://domain.world/page.type?querystring|
|Component:||mod_auth_digest||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description reintsh.www01 2004-03-17 19:57:03 UTC
When using digest authentication, a URL request including a query_string is not handled properly. Apache returns: Bad Request Your browser sent a request that this server could not understand. The error log contains a message like: Digest: uri mismatch - </mysite/test.htm> does not match request-uri </mysite/test.htm?something> When disabling digest authentication it works as expected. Regards, Henk.
Comment 1 Joshua Slive 2004-03-17 20:37:36 UTC
This is a known bug in MSIE. See, for example, http://www.apacheweek.com/issues/02-12-20#dev It is even documented in apache: http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html#using There is a patch to hack-around the MSIE bug: http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=105510860505665&w=2 But there was never a developer concensus on whether patching around MSIE's problems was a good idea. I'll leave this bug open to see if anyone's opinion has changed. I personally think the work-around is a good idea.
Comment 2 Geoffrey Young 2004-03-18 18:19:07 UTC
I think it would be a good idea to provide msie support here if msie 6 is still broken. that said, I'm not too sure that I like the proposed patch. it's fine, but I feel in my gut that we shouldn't be messing with the digest algorithm proper - there's nothing to protect against a mismatched query string in this case, even though it's still important. but I like the BrowserMatch approach I think the solution I'd rather see is constructing the compared uri from uri+query if the hack is set, keeping the query as part of the comparison. I'll work on an alternative patch and move the discussion to httpd-dev if there is some consensus that my approach has merit.
Comment 3 Geoffrey Young 2004-03-23 14:03:56 UTC
solution applied to 2.1, pending review for backport to 2.0 http://marc.theaimsgroup.com/?l=apache-cvs&m=108005027128025&w=2
Comment 4 Paul Querna 2004-07-10 07:51:03 UTC
commited to 2.0.51-dev.