Form based bug tracking and defect tracking
Feb 28, 2004 | Home > Bugzero > FAQs > KB

Form submission error with MSIE 6.0 (post data)


With MSIE 6, form is posted with empty data (sporadical)

Possible causes and solutions

  1. You cannot post any data to mixed NTLM and non-NTLM authenticated Web sites. Microsoft Internet Explorer requires NTLM authentication for all visits to a website after you visit one NTLM authenticated folder of the website.

    MSIE 5 or later has a feature called NTLM pre-authorization which lets the browser cache credentials if an NTLM challenge is received. Subsequent requests use the cached credentials.

  2. If you post a form via an ASP page, to IIS 4.0, and a sub folder on the site does not use NTLM (but the parent does), the browser does not send the POST data to the server. To solve this problem, use Regedt32 to navigate to:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    On the Edit menu, Add Value name DisableNTLMPreAuth as a type REG_DWORD and set the data value to 1 (true).

  3. This is actually in IE, and not a problem on the server side. Once NTLM authentication has been negotiated, the client browser will renegotiate authentication before sending the POST data. Basically, there is a handshake during initial authentication. When you do a form POST at any point after that, the client reinitiates the handshake (with the empty POST). The server responds with a challenge, and the client then resubmits the POST with the form data (and the response to the challenge in the authorization header).

    It seems, any NTLM authentication to a server will result in this behavior for subsequent POSTs to the same server (even unprotected resources). For example, if I go to NTLM-protected resource "/myntlm/test.html", then (later on) POST to the unprotected resource "/unprotected/foo.asp" this will be exhibited.

    The only way I have seen to get IE to "forget" it has previously NTLM-authenticated to a site is to send a 401 page status. This effectively resets the IE authentication state.

  5. Use KeepAlive off on the server (Apache).
* Reference brought to you by Bugzero, it's more than just bug tracking software!