none
IE repeatedly asks for authentication

    Question

  • I've got a web application running on Tomcat with Digest authentication, when I first enter the webapp in IE I'm being asked for credentials and it occurs again without a reason but not for every request. By inspecting incoming requests in Fiddler and from the actual Authenticator implementation I can see that cnonce values are reused and nonce-count gets increment correctly but requests were sent in a wrong order.

    This one having auth header

    Authorization: Digest username="admin",realm="Realm",nonce="1331743957403:f9045aa37b855fd47a83365d1ca141fe",uri="/webapp/images/admin_header.gif",cnonce="be4f3408326bb74091fa129de6fca8c6",nc=00000011,response="6ea0228612c2840f61f9a28ba06b30ea",qop="auth",opaque="E1BD9E5F91846667D855156D6C7FCDC7"

    came prior to following one

    Authorization: Digest username="admin",realm="Realm",nonce="1331743957403:f9045aa37b855fd47a83365d1ca141fe",uri="/webapp/images/section_header.gif",cnonce="be4f3408326bb74091fa129de6fca8c6",nc=00000010,response="560fea74f4019232cfaa357b080f942f",qop="auth",opaque="E1BD9E5F91846667D855156D6C7FCDC7"

    which is considered to be an HTTP attack as reported in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184 and therefore the server asks for credentials again.

    Requested resources were referenced from a CSS file, does that matter and is there a way how to solve this?


    Wednesday, March 14, 2012 5:13 PM

Answers