IIS Authentication

After configuring Basic Authentication in IIS6, when I try to access a
resource, it returns a 401 and ask for credentials. Now when i give the
credential, it allows the resource. After this, I try to access another
resource in the same virtual server, it allows the access to the resource.
I was assuming that the server sends a cookie to maintain the session.
But I don't see Set:Cookie in response header or Cookie in request header.
Basically, there's no cookie involved at all. For every request, the
Authorization header with the same encrypted value ( different in the case of
Digest Authentication) is present.
Can somebody tell me where this value of Authorization header is stored. The
browser remembers it once authenticated in the first request.

Thanks,
Robertis

Re: IIS Authentication

There is no cookie involved. With Basic Authentication, the data in the
Authorization: header isn't encrypted - it's just Base64 encoded, and
includes your username and password.

Once you have succesfully authenticated, the browser (IE or Firefox, or
whatever) continues to send the same authorization data for every subsequent
request to the same website until either:
a) the server sends back an Access Denied (in which case you are prompted to
supply alternate credentials)
b) you close your browser

Cheers
Ken

"Robertis Tongbram" wrote in
message news:D2C40285-E110-4317-97FF-6006BAE12FDB@microsoft.com...
> After configuring Basic Authentication in IIS6, when I try to access a
> resource, it returns a 401 and ask for credentials. Now when i give the
> credential, it allows the resource. After this, I try to access another
> resource in the same virtual server, it allows the access to the resource.
> I was assuming that the server sends a cookie to maintain the session.
> But I don't see Set:Cookie in response header or Cookie in request header.
> Basically, there's no cookie involved at all. For every request, the
> Authorization header with the same encrypted value ( different in the case
> of
> Digest Authentication) is present.
> Can somebody tell me where this value of Authorization header is stored.
> The
> browser remembers it once authenticated in the first request.
>
> Thanks,
> Robertis

Re: IIS Authentication

Thanks a lot Ken.
I was interested particularly when the browser remembers the credentials.
I started thinking on these lines when i assumed a use-case when this
browser-remembering-credential thingy might start interfering (or overriding)
any authorization (or authentication) policies at the server side.

I was assuming browser should also act stateless ( as in stateless HTTP),
unless server says something.

PS: I said 'encrypted' Authorization header so it is more generic( like
Digest auth )

Anyways, thanks for your time.

Robertis






"Ken Schaefer" wrote:

> There is no cookie involved. With Basic Authentication, the data in the
> Authorization: header isn't encrypted - it's just Base64 encoded, and
> includes your username and password.
>
> Once you have succesfully authenticated, the browser (IE or Firefox, or
> whatever) continues to send the same authorization data for every subsequent
> request to the same website until either:
> a) the server sends back an Access Denied (in which case you are prompted to
> supply alternate credentials)
> b) you close your browser
>
> Cheers
> Ken
>
> "Robertis Tongbram" wrote in
> message news:D2C40285-E110-4317-97FF-6006BAE12FDB@microsoft.com...
> > After configuring Basic Authentication in IIS6, when I try to access a
> > resource, it returns a 401 and ask for credentials. Now when i give the
> > credential, it allows the resource. After this, I try to access another
> > resource in the same virtual server, it allows the access to the resource.
> > I was assuming that the server sends a cookie to maintain the session.
> > But I don't see Set:Cookie in response header or Cookie in request header.
> > Basically, there's no cookie involved at all. For every request, the
> > Authorization header with the same encrypted value ( different in the case
> > of
> > Digest Authentication) is present.
> > Can somebody tell me where this value of Authorization header is stored.
> > The
> > browser remembers it once authenticated in the first request.
> >
> > Thanks,
> > Robertis
>
>
>