HttpWebRequest.PreAuthenticate Property (System.Net)

Switch View

PreAuthenticate Property

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:

.NET Framework Class Library

HttpWebRequest..::.PreAuthenticate Property

Gets or sets a value that indicates whether to send an authenticate header with the request.

Namespace: System.Net
Assembly: System (in System.dll)

Syntax

Visual Basic (Declaration)

Public Overrides Property PreAuthenticate As Boolean

Visual Basic (Usage)

Dim instance As HttpWebRequest
Dim value As Boolean

value = instance.PreAuthenticate

instance.PreAuthenticate = value

public override bool PreAuthenticate { get; set; }

Visual C++

public:
virtual property bool PreAuthenticate {
    bool get () override;
    void set (bool value) override;
}

JScript

public override function get PreAuthenticate () : boolean
public override function set PreAuthenticate (value : boolean)

Property Value

Type: System..::.Boolean
true to send a WWW-authenticate HTTP header with requests after authentication has taken place; otherwise, false. The default is false.

Remarks

After a client request to a specific Uri is successfully authenticated, if PreAuthenticate is true and credentials are supplied, the WWW-authenticate header is sent with each request to that Uri; otherwise, the request uses standard authentication procedures.

With the exception of the first request, the PreAuthenticate property indicates whether to send authentication information with subsequent requests to the specific Uri without waiting to be challenged by the server.

The following dialog between client and server illustrates the effect of this property. The dialog assumes that basic authentication is in use.

PreAuthenticate is false :

Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

PreAuthenticate is true :

Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

Client: GET someUrl with Authorization headers

If the authentication scheme does not support preauthentication, the value of this property is ignored.

Platforms

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98, Windows CE, Windows Mobile for Smartphone, Windows Mobile for Pocket PC

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Version Information

.NET Framework

Supported in: 3.5, 3.0, 2.0, 1.1, 1.0

.NET Compact Framework

Supported in: 3.5, 2.0, 1.0

Reference

HttpWebRequest Class

HttpWebRequest Members

System.Net Namespace

Tags

: Add a tag

Flag as ContentBug

More info on PreAuthenticate

ChrisLaMont | Edit | Show History

See this blog entry: http://blogs.msdn.com/feroze_daud/archive/2004/07/12/180856.aspx

The topic of this post is PreAuthentication.

HTTP Webservers support multiple authentication options. On Windows, IIS supports Basic, NTLM, Digest, Negotiate (a.k.a Integrated Windows Authentication). Of these, Basic & Kerberos support PreAuthentication.

"PreAuthentication" is sometimes misunderstood to mean "Send credentials on the very first request". That is not the way it works. For Preauthenticate to work, the following things have to happen:

1) You make a webrequest to a server. You might (or might not) have specified credentials on the first request.

2) The server want to authenticate the request you are making. So it replies with a 401.

3) The client does the authentication handshake with the server, and sends your credential.

4) If "Basic" was chosen as the authentication scheme by the client, then Pre-Authentication is enabled for this request. So, every subsequent request from now on to the same Uri-Prefix will result in the credentials being sent preemptively.

The main thing to note here is: It requires atleast one request before the client can do pre-authentication. Credentials are not automatically sent on the first request if PreAuthenticate is true.

If you want to force credentials to be sent on the first request (and thus avoid the first auth handshake), you can set credentials manually on the request:

WebRequest req = WebRequest.Create("http://....");

string cre = String.Format("{0}:{1}", username, password);

byte [] bytes = Encoding.ASCII.GetBytes(cre);

string base64 = Convert.ToBase64String(bytes);

req.Headers.Add("Authorization", "basic " + base64);

WebResponse resp = req.GetResponse();

This will set the authorization header on the request, and send it on the first request itself. If the credentials are correct, the first handshake will not happen.

However, remember that you have to use this code to set the authorization header on every request. This is because we bypassed the authentication handshake, and HttpWebRequest has no knowledge that the server requires authentication. So it wont do pre-authentication by itself anymore.

The recommended way to get preauthentication is to set the credentials on the request, set PreAuthenticate=true, and send the request. Once the first authentication handshake happens, and credentials are accepted by the server, preauthentication will happen behind the scenes for every request to the same Uri-Prefix.