I've encountered an interesting problem when trying to debug digest authentication in my company's application using Internet Explorer 11 (11.0.9600.19377 on Windows 7 64-bit) with Fiddler (v5.0.20192.25091). It seems that with Fiddler running and capturing traffic, the behaviour of IE11 is actually different, suggesting that Fiddler is modifying the outgoing traffic before it hits the server.
To give a bit of context, using Chrome and Firefox (with or without Fiddler running) I'm finding that the digest auth. process works entirely as expected:
- Client sends a GET request without an authorisation header to a protected URL.
- Server responds with 401, including a nonce and realm.
- Client prompts user for username & password.
- Client sends a secondary GET request to the same URL, including a full authorisation header (username, password, nonce & realm).
- The server responds with 200.
When using IE11 without Fiddler, the process is incorrect – I've been able to analyse this by using Wireshark:
- Client sends a GET request without an authorisation header to a protected URL.
- Server responds with 401, including a nonce and realm.
- Client prompts user for username & password.
- Client repeats step (1), causing a loop. The client is therefore unable to authenticate.
However, when using IE11 with Fiddler running and capturing traffic, the browser behaves differently (following the same process as Chrome and Firefox) and actually works correctly. My understanding was that Fiddler is completely transparent (capturing all WinINET traffic without modification) so that leaves me with a few questions:
- What processing does Fiddler apply to requests before passing them to the server?
- Is there an option to bypass this processing so that I can analyse the 'raw' requests?
- Alternatively, does Fiddler do anything specifically to modify the browser behaviour while it is capturing traffic?