I've encountered an interesting problem when trying to debug digest authentication in my company's application using Internet Explorer 11 (11.0.9600.19377 on Windows 7 64-bit) with Fiddler (v5.0.20192.25091). It seems that with Fiddler running and capturing traffic, the behaviour of IE11 is actually different, suggesting that Fiddler is modifying the outgoing traffic before it hits the server.
To give a bit of context, using Chrome and Firefox (with or without Fiddler running) I'm finding that the digest auth. process works entirely as expected:
- Client sends a GET request without an authorisation header to a protected URL.
- Server responds with 401, including a nonce and realm.
- Client prompts user for username & password.
- Client sends a secondary GET request to the same URL, including a full authorisation header (username, password, nonce & realm).
- The server responds with 200.
When using IE11 without Fiddler, the process is incorrect – I've been able to analyse this by using Wireshark:
- Client sends a GET request without an authorisation header to a protected URL.
- Server responds with 401, including a nonce and realm.
- Client prompts user for username & password.
- Client repeats step (1), causing a loop. The client is therefore unable to authenticate.
However, when using IE11 with Fiddler running and capturing traffic, the browser behaves differently (following the same process as Chrome and Firefox) and actually works correctly. My understanding was that Fiddler is completely transparent (capturing all WinINET traffic without modification) so that leaves me with a few questions:
- What processing does Fiddler apply to requests before passing them to the server?
- Is there an option to bypass this processing so that I can analyse the 'raw' requests?
- Alternatively, does Fiddler do anything specifically to modify the browser behaviour while it is capturing traffic?
2 Answers, 1 is accepted
This appears to be common in Internet Explorer (IE) going all the way back to IE8. See the Digest Authentication not Working on IE8 where FireFox and Chrome are Fine StackOverflow thread for more information. This supports the provided observations with Fiddler and IE. With that said, let me provide answers to the questions below.
1. - Using the default settings, Fiddler registers itself as the system proxy and all HTTP requests from WinINET go through Fiddler prior to reaching the target Web Server. See more details about this in the Fiddler Proxy documentation.
2. - After selecting a session in the Session List select the Raw tab in the upper right window pane to see the request raw data.
3. - By default Fiddler won't modify the traffic unless a custom script is used to Modify a Request or Response.
Please let me know if you need any additional information. Thank you for using the Fiddler Forums.
Regards,
Eric R | Technical Support Engineer
Progress Telerik
Rank 1
Thanks for your quick reply. I actually came across the same Stack Overflow thread while Googling the problem, but my observations don't match up exactly with what users are describing there – I don't believe anyone in that thread specifically acknowledges that running Fiddler (or any other sniffer) causes the correct sequence of events to occur.
I will do some more testing with the information you provided in mind. Ultimately I think the server-side code will need modifying to handle this correctly, but I thought it was an interesting observation that Fiddler seems to 'trick' IE into doing the correct thing.