Http Client Protocol Issues

If you use any of these solutions, Please let me know so I can track if any of this is useful to you! Thanks! This is an area to share observations I have made working with Http Client Protocols and the associated technologies. I currently work for the Microsoft team that supports the WinInet, WinHTTP and System.Net API's and classes associated with these technologies. This is not a replacement for Microsoft Support, but an area to discuss these technologies. These postings are provided "AS IS" with no warranties, and confer no rights. Use of included code samples are subject to the terms specified at Microsoft - Information on Terms of Use

Understanding the New WinInet option: INTERNET_OPTION_SUPPRESS_SERVER_AUTH

With the release of Internet Explorer 8 comes a new option for WinInet programming: INTERNET_OPTION_SUPPRESS_SERVER_AUTH.  The MSDN documentation is very specific and describes how the option affects authorization, but I like to see things in action!  How about some sample code for INTERNET_OPTION_SUPPRESS_SERVER_AUTH?

This option is documented here: http://msdn.microsoft.com/en-us/library/aa385328(VS.85).aspx (note that if you are not using the latest SDK headers, the value for this option is also documented here).

To sum it up, use this option so your WinInet application will allow you to use credentials to authorize through a proxy, but don't pass credentials to the endpoint server.

To understand this option you can modify the HttpAuth example in the Platforms SDK and see how this option can be used to create a sample.  Then you can use Fiddler (http://www.fiddlertool.com) to request proxy credentials and verify that you cannot pass credentials to an endpoint server.

Since this is an option for the request you set this on the request handle just before you execute the request:

InternetSetOption(hRequest,INTERNET_OPTION_SUPPRESS_SERVER_AUTH,NULL,0);

// Send request.
fRet = HttpSendRequest( hRequest, // request handle
"", // header string
0, // header length
NULL, // post data
0 // post length
);

Next configure Fiddler to require proxy authentication by selecting the menu item 'Rules' and check the 'Require Proxy Authentication' option.  If you look at the help documentation on this feature you will discover the password and user id is '1' for this setting.

Finally run the HttpAuth sample and see that it will prompt you for the Proxy authorization, and once you enter these credentials you cannot send credentials to the end point server.  Even if you use the custom UI and use InternetSetOption to set the username and password, WinInet will not send these credentials.

 Note that in the documentation for this option, it suggests you use the INTERNET_OPTION_NO_COOKIES option as well to prevent Cookie based Authentication to the end point server.

Let me know if this was useful to you!

Published Thursday, June 04, 2009 10:45 AM by jpsanders

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required
Submit

This Blog

Syndication

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker