Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 2347 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Double request for files from webcid

Placebo

I noticed in the logs of my web-server, running my webcid, that the new Sophos update client (v2.5.8.263) included with 9.7.x does 2 requests for every file.

2011-05-13 11:42:51 xx.xx.xx.xx GET /win/savxp/auto-bpt.ide - 80 - xx.xx.xx.xx SophosAutoUpdate/2.5.8.263+SDDS/1.0+(u="sophosupd"+c="c4fd9cf1-d3c7-4251-969b-d8b045e60698") 401 2 5 0
2011-05-13 11:42:51 xx.xx.xx.xx GET /win/savxp/auto-bpt.ide - 80 sophosupd xx.xx.xx.xx SophosAutoUpdate/2.5.8.263+SDDS/1.0+(u="sophosupd"+c="c4fd9cf1-d3c7-4251-969b-d8b045e60698") 200 0 0 0

The first one without authentication, which gets denied (401) and the second one with authentication.

I have configured authentication so I would expect only a authenticated request. 
Older clients, v2.5.1.212 and v2.5.5.231 don't do this.

I already opened a support ticket for this but I was wondering if anybody else sees this behavior?

:12957


This thread was automatically locked due to age.
  • 0

    I'm not sure, but it might now be doing DIGEST authentication, which requires the extra round-trip on each request (over BASIC authentication).

    :13031
  • 0

    but it might now be doing DIGEST authentication

    As this is a setting of the customer's webserver and it is the server which requests authentication this would only explain the change if

    1. the webserver offers DIGEST in addition to BASIC - and
    2. AutoUpdate has been changed to support DIGEST authentication

    Our webserver offers the basic mechanism only and I observe the described behaviour. Every file is first requested without the Authorization: header.  

    Christian

    :13033
  • 0

    It might merely have changed to prefering Digest. 

    :13035
  • 0

    Well, Douglas, IMO it does not make sense to send within milliseconds another unauthorized request to a webserver which only offered basic. Up to and including 9.5 the requests following a 401 response included the necessary Authentication: header. So if AU determines that digest is not available (even if preferred) it should use basic for the current update.  And I wonder why digest should be the method "sought for" as article 27539 (and similarly 12134) says: 'Digest' authentication may fail on some web servers. Change authentication to only Integrated, restart IIS and test updating again.

    Christian

    :13041
  • 0

    I have a made a packet capture with Wireshark from a client updating and the first request does not contain any authentication.

    :13043
  • 0

    the first request does not contain any authentication

    Yup, I just didn't rule out that if the server offers digest AU would use it in subsequent requests (instead of omitting the credentials).

    To be fair, although the number of requests (almost) doubles neither should these additional requests bring a typical webserver to its knees nor should they cause network congestion. But for sites with slow, high-latency links and HTTP as Primary this has a significant impact. And last but not least - it's not elegant :robotwink:

    Christian

    :13053
  • 0

    Hi guys,

    This has been raised as a defect. The reference is DEF71034 for your notes.

    Thanks

    Andy

    :13173
  • 0
    That is good to hear. Thanks for your reply.
    :13205
Unfiltered HTML