Hi folks, I've observed three bugs in IE6's digest proxy authentication implemention. Is anyone able to confirm that it's Not Just Me, and whether any good workarounds are already out there? 1. Double-quote-marks in URLs. IE sends a digest-uri-value that's improperly escaped, as in (when visiting http://localhost/test.html"foo): Digest username="User Name", realm="Login", qop="auth", algorithm="MD5", uri="/test.html"foo", nonce="q3... vs Firefox which sends: Digest username="User Name", realm="Login", nonce="42yWQuDPGw/gebJ8", uri="/test.html%22foo", response="666... I've worked around this by means of a hack in authenticateDigestDecodeAuth. 2. Never reuses a nonce - always sends a request, gets a 407 challenge with a new nonce value, then reissues the request with the correct Proxy-Authorization header; this doubles the number of actual HTTP requests; is there a workaround? 3. IE gets confused when a website uses a 401 authentication challenge. In this case, it prompts for and sends the Authorization: header, but then repeatedly re-prompts the user for their proxy credentials. I've worked around this by inventing the following access list: acl msie-win-browser browser MSIE.*Windows acl basic-auth auth_regex Basic auth_param digest access deny msie-win-browser basic-auth auth_param digest access allow all Yes, I had to invent "auth_regex" and "auth_param digest access". This ACL effectively downgrades the user to using basic proxy auth if using basic www auth. I'd especially like a solution for bug 3, because the workaround is ugly, insecure and expensive. I have a case open with Microsoft Partner Support right now. Oddly enough, IE5 on the Mac doesn't have any of these symptoms. Any takers? -- Joshua Goodall "as modern as tomorrow afternoon" joshua@xxxxxxxxxxxxxx - FW109
