I've got a web application running on Tomcat with Digest authentication, when I first enter the webapp in IE I'm being asked for credentials and it occurs again without a reason but not for every request. By inspecting incoming requests in Fiddler and from the actual Authenticator implementation I can see that cnonce values are reused and nonce-count gets increment correctly but requests were sent in a wrong order.
This one having auth header
Authorization: Digest username="admin",realm="Realm",nonce="1331743957403:f9045aa37b855fd47a83365d1ca141fe",uri="/webapp/images/admin_header.gif",cnonce="be4f3408326bb74091fa129de6fca8c6",nc=00000011,response="6ea0228612c2840f61f9a28ba06b30ea",qop="auth",opaque="E1BD9E5F91846667D855156D6C7FCDC7"
came prior to following one
Authorization: Digest username="admin",realm="Realm",nonce="1331743957403:f9045aa37b855fd47a83365d1ca141fe",uri="/webapp/images/section_header.gif",cnonce="be4f3408326bb74091fa129de6fca8c6",nc=00000010,response="560fea74f4019232cfaa357b080f942f",qop="auth",opaque="E1BD9E5F91846667D855156D6C7FCDC7"
which is considered to be an HTTP attack as reported in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184 and therefore the server asks for credentials again.
Requested resources were referenced from a CSS file, does that matter and is there a way how to solve this?
MSDN IE Development Forum (post such questions here instead)
Tip: When posting in Developer forums, always include a link to your web site or test pages in your first post.
IE Developer Center
IE’s Compatibility Features for Site Developers
Preparing Your Site for IE9
~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft