views:

37

answers:

0

Setup: Apache 2.2, mod_auth_sspi 1.0.3/1.0.4, mod_wsgi 3.3, python 2.6.2

Some background information: Whenever IE hits an URL, that requires it to perform NTLM challenge-response, further POST requests to the same domain are performed as follows:

  • A zero-length POST (Content-Length 0) is performed
  • The server replies with 401. WWW-Authenticate header contains the NTLMSSP challenge
  • A 'real' (full-length) POST is sent with the Authorization header set to the NTLMSSP_AUTH (response)

And everything is ok.

However, once the page, that doesn't require authentication (the server doesn't respond with 401) is hit, terrible things happen - the zero-length POST is promptly forwarded to the application and all sorts of weirdness ensues, - forms don't get submitted properly, files are not uploaded and so on. I've observed this behaviour with IE 7 and 8.

This is not speculation, - I've actually sniffed the traffic and everything goes exactly as I've outlined above.

Has anyone ever encountered this? I am wondering, what would be the cleanest workaround in this case. Or maybe, this is a non-problem and I am just seeing things?