W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: [Fwd: I-D ACTION:draft-decroy-http-progress-00.txt]

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Tue, 13 Feb 2007 22:17:24 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: ietf-http-wg@w3.org
Message-Id: <1171401444.16208.45.camel@henriknordstrom.net>
tis 2007-02-13 klockan 12:58 +1300 skrev Adrien de Croy:

> then the problem can still be clearly shown.
> 
> 1. Client wants to post to server.
> 2. client connects to proxy, sends initial request, but not body
> 3. client waits for 100 continue.
> 4. proxy evaluates request, DNS and policy lookups etc. some time elapses.
> 5. Proxy Initiates connection to sever.. some more time elapses.
> 6. Client stops waiting for 100 continue and starts sending body
> 7. proxy achieves connection, server sends 401 auth required
> 8. proxy passes back 401 auth required
> 9. client has to terminate connection and start again.

Well.. no matter what the client only has the choice of either closing
the connection or sending the request body. That's the only two
available options once the request headers have been sent indicating
there will be a request entity body.

Adding a new "Defer" status code does not change this, and is why I got
confused by your draft into thinking that you somehow proposed that the
client should change how it sends the request body.

> At least with basic auth, the credentials can be submitted the second time.

Yes. And the same for Digest or any other message based authentication
scheme following the HTTP/1.1 protocol requirements.

> If the intermediary is an intercepting proxy however, and requires auth 
> (even basic)
> then breaking the connection will lose the auth either to the server or 
> proxy,
> since there can't be 2 sets of Authorization tags, and so this situation 
> prevents
> operation completely unless the client sends chunked data as you've 
> suggested.

An intercepting proxy can not use HTTP auth as HTTP proxy auth is only
possible when following specifications.

Not a all. It's just that if any hop uses NTLM or other connection
oriented aurh sceme then closing the connection is not an option so the
request body MUST be transmitted in order for the authentication to
work.

The new "defer" status code only avoids situations where the body is
unneededly transmitted before closing the connection. It does not at all
solve the problems of NTLM or other connection oriented authentication
methods.

> I am thinking more about your point about using TCP flow control.  We 
> are able to
> send a 0 window size, but that won't guarantee that the client won't 
> enter into the
> state where it thinks it is sending the body (and would therefore 
> terminate on
> any 4xx response).

Terminating the connection on 4xx is completely unrelated to if the
client has begun sending the request body or not. That's a property of
the server response and the preferences of the client just as any other
request/response pair.

The only way of not having to send the complete request body without
closing the connection is to use chunked encoding. If Content-Length is
used then the client MUST either send the indicated amount of data or
close the connection no matter what response is received.

Regards
Henrik

Received on Tuesday, 13 February 2007 21:17:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT