[ietf-http-auth] Test Scenarios, was: Cookie-based HTTP Authentication (draft-broyer-http-cookie-auth-00)

Thomas Broyer t.broyer at gmail.com
Sun Jan 11 12:00:36 PST 2009


On Sun, Jan 11, 2009 at 6:40 PM, Julian Reschke wrote:
> Thomas Broyer wrote:
>>
>> ...
>> Tests at: http://ltgt.net/tests/http-cookie-auth/
>> Results at:
>> http://hg.ltgt.net/http-cookie-auth/raw-file/tip/ua-compat.html
>> ...
>
> So it seems that there are at least three scenarios to be tested:

Note that the "results" above are only for WWW-Authenticateion /
Cookie (test00).

> - 401 with no WWW-Authenticate header (illegal according to RFC2617, but
> interesting to see how the various UAs behave),

http://ltgt.net/tests/http-cookie-auth/no-www-authenticate.asis
HTML content displayed as is in all the browsers I've tested (same
list as ua-compat.html)

> - 401 with WWW-Authenticate / Cookie, and

http://ltgt.net/tests/http-cookie-auth/test00/
Results in ua-compat.html linked above.
Summary: will work in Chrome (works in "dev" version), doesn't work in
Opera (blocking error page) but I've filed a bug so I hope it'll be
fixed in Opera 10.

> - 401 with WWW-Authenticate / Cookie *and* Basic (for instance).

http://ltgt.net/tests/http-cookie-auth/cookie-and-basic.asis
http://ltgt.net/tests/http-cookie-auth/basic-and-cookie.asis

You'd have to sniff your connection (I generally use Fiddler on
Windows) to know what your browser actually do.

Chrome "stable" pops up the authentication dialog with "Cookie" in the
first test and "Basic" in the second, so I guess (I have no Fiddler at
hand) in the first case it won't send any Authorization header to the
server (as in the simple WWW-Authenticate / Cookie test).

Opera 9.63 shows the blocking error page for cookie-and-basic, and
pops up the authentication dialog for basic-and-cookie; so order
matters.

IE7 and Firefox 3 (3.0.4) both show the 401 response body in the
cookie-and-basic case, and pops up the authentication dialog in the
basic-and-cookie case.

Safari 3.2.1 on Windows shows the "Basic" prompt in both cases. When
you dismiss the prompt, you're *not* given the 401 response body.


-- 
Thomas Broyer


More information about the ietf-http-auth mailing list