Talking about FlashGet, it's now giving a forbidden error: "HTTP/1.1 403 Forbidden". Using your last Alpha11 or the Beta1 build doesn't changed functionality with FlashGet, when using the new URL scheme (?mode=auth&u=USERNAME&e=TIMESTAMP&s2=SIGNATURE). If I'm not mistaken, this could happen because this new URL scheme relies on JavaScript to complete the login and redirecting to the resource (correct me if I'm mistaken).
download managers (DM) can manage to download protected resources in several ways.
Let me know if my reasoning is correct.
1) the server replies 401, the DM asks you credentials, and you enter there.
This was working before but it is bad for security because credentials are clear text. I think we should not support it, at least until we have no https. That's why i'm now replying 403 instead. Actually, i should consider this
https://en.wikipedia.org/wiki/Digest_access_authenticationEven if I guess many PHP based servers are not using this but sessions, so DM must be supporting sessions. Sessions are important for logout, I expect the browser to not be offering a 'logout' button otherwise.
2) the server uses cookie based sessions, and will give a reply that's good for browsers.
Some DM may use an internal browser to authenticate.
Some may capture the cookie.
Others will be not be able to work, and for these we have the "include password in pages", that puts credentials on all the links. No browser/javascript functionality is required for the DM.
I've removed that part in the example (because it's not relevant), but that doesn't mean the SID is empty (it is 'Set-Cookie: HFS_SID_=xxxxxxxxxxxx', where xxxxxxxxxxxx is the radom SID).
ok, so you are telling me you get a SID in the URL and a different one in a cookie?
It's strange because if the DM accesses the server with a SID in the URL, the server will 'create' a cookie but with the SAME id.
You sure? I expect this: the browser gets a cookie, then you pass the job to the DM which will get the cookie
1) from the browser, all working, directly
2) through the URL, the DM should have no cookie at this moment because didn't interact with the server yet, it sends a request without a cookie, the server accepts the SID in the URL.
I don't see in which case you should have 2 different SIDs.
If you want, it's better that you download FlashGet (on you XP virtual machine), and see how it works
i will wait your reply first.
I'm currently working to solve a DoS problem.