Understanding the New WinInet option: INTERNET_OPTION_SUPPRESS_SERVER_AUTH

  • Article

With the release of Internet Explorer 8 comes a new option for WinInet programming: INTERNET_OPTION_SUPPRESS_SERVER_AUTH. The MSDN documentation is very specific and describes how the option affects authorization, but I like to see things in action! How about some sample code for INTERNET_OPTION_SUPPRESS_SERVER_AUTH?

This option is documented here: https://msdn.microsoft.com/en-us/library/aa385328(VS.85).aspx (note that if you are not using the latest SDK headers, the value for this option is also documented here).

To sum it up, use this option so your WinInet application will allow you to use credentials to authorize through a proxy, but don't pass credentials to the endpoint server.

To understand this option you can modify the HttpAuth example in the Platforms SDK and see how this option can be used to create a sample. Then you can use Fiddler (https://www.fiddlertool.com) to request proxy credentials and verify that you cannot pass credentials to an endpoint server.

Since this is an option for the request you set this on the request handle just before you execute the request:

InternetSetOption(hRequest,INTERNET_OPTION_SUPPRESS_SERVER_AUTH,NULL,0);

// Send request.
fRet = HttpSendRequest( hRequest, // request handle
"", // header string
0, // header length
NULL, // post data
0 // post length
);

Next configure Fiddler to require proxy authentication by selecting the menu item 'Rules' and check the 'Require Proxy Authentication' option. If you look at the help documentation on this feature you will discover the password and user id is '1' for this setting.

Finally run the HttpAuth sample and see that it will prompt you for the Proxy authorization, and once you enter these credentials you cannot send credentials to the end point server. Even if you use the custom UI and use InternetSetOption to set the username and password, WinInet will not send these credentials.

 Note that in the documentation for this option, it suggests you use the INTERNET_OPTION_NO_COOKIES option as well to prevent Cookie based Authentication to the end point server.

Let me know if this was useful to you!