[ietf-http-auth] Test Scenarios, was: Cookie-based HTTP Authentication (draft-broyer-http-cookie-auth-00)

Thomas Broyer t.broyer at gmail.com
Mon Jan 12 05:41:16 PST 2009

On Sun, Jan 11, 2009 at 11:50 PM, Thomas Broyer wrote:
> On Sun, Jan 11, 2009 at 10:17 PM, Yngve N. Pettersen (Developer Opera
> Software ASA) wrote:
>> WWW-Authenticate: Cookie realm="Cookie", Basic realm="Basic"
> My *.asis file contained two distinct headers, so it must be an
> artifact of apache mod_asis...
> I've put the tests under version control so you can get the source and
> run them with some other server:
> http://hg.ltgt.net/http-cookie-auth/file/tip/tests

I've just added a small python script to serve an *.asis file for all
incoming requests:
(call the script with the asis file as the first argument, the server
will listen on port 8000; it also dumps the request headers on stdout)

Results for cookie-and-basic:
All tested browsers prompt for "Basic" (i.e. ignore the unknown
"cookie" scheme): IE (6, 7 and 8b2), Firefox (, 3.0.5 and
3.1b2), Opera (9.63 and 10), Safari 3.2.1/Windows, and Chrome

Results for basic-and-cookie:
I've only tested Opera (9.63 and 10) and Chrome Dev ( on
this one, and the results are the same as above; i.e. order of the
WWW-Authenticate headers doesn't matter.

These are the expected results, per RFC2616 (AFAICT).

@Julian: this means that if you want to mix Cookie and Basic at the
same URL, you'll have Basic unless the user has already authenticated
with Cookie at another (non-mixed) URL.

Thomas Broyer

More information about the ietf-http-auth mailing list