URL Rewrite Module and Digest Authentication

With the Go Live release for the URL Rewrite Module having just been shipped, I thought that I'd address a problem that you might run into if you're using Digest Authentication. RFC 2069 states that a client sends the server a checksum of the username, password, nonce value, HTTP method, and the requested URI. Unfortunately, when rewriting the URL, the client and server have separate ideas of what the actual URL is, so Digest Authentication will fail when authenticating against a rewritten URL. Here's a practicle example:

Let's say that you have an ASP application that retrieves items from a catalog. The URL for the catalog page is "/catalog.aspx" and clients pass the catalog number on the query string as "ID=[some number]". This yields an HTTP request like "http://www.example.com/catalog.aspx?ID=12345". Since this is not a very search-engine-friendly URL, you install the URL Rewrite Module and create a rule that rewrites URLs like "http://www.example.com/catalog/ID/12345" into the example listed above. This is a rather simple rewrite to accomplish, but you start to see the problem. The client thinks that "http://www.example.com/catalog/ID/12345" is the actual URL and makes that part of the Digest Authentication checksum, but the rewritten URL is what the client is actually being authenticated against and Digest Authentication fails. Unfortunately, this is a limitation for which there is no workaround. :-(

All that being said, the URL Rewrite Module is a really useful add-on for IIS. I had written my own ISAPI-filter-based URL rewriter some time ago, and I worked with Ruslan some months ago to migrate my web sites from my own rewriter to our URL Rewrite Module for IIS. In the end, our URL Rewrite Module is so much easier to deploy and create rules for that I'm never going back to my own version. Now I find myself finding new ways to use the URL Rewrite Module on web sites where I never planned to deploy my own rewriter. :-)

For more information on our URL Rewrite Module, see the following topics:

(The last URL from Carlos Aguilar Mares has a great number of practical examples for Search Engine Optimization {SEO}.)

No Comments