Re: Set-Cookie vs list header parsing (i129) from Dan Winship on 2008-08-20 (ietf-http-wg@w3.org from July to September 2008)

From: Dan Winship <dan.winship@gmail.com>
Date: Wed, 20 Aug 2008 09:54:36 -0400
To: Jamie Lokier <jamie@shareable.org>
CC: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
Message-ID: <48AC221C.6030501@gmail.com>

Jamie Lokier wrote:
> Dan Winship wrote:
>> FWIW, 3 out of the big 4 browsers also don't correctly parse multiple
>> WWW-Authenticate headers that have been merged into one (even though
>> 2617 explicitly points out this possibility). So it might be best to
>> just say that intermediaries SHOULD NOT merge headers, except in cases
>> where they know it's safe.
> 
> Do they handle unmerged, multiple WWW-Authenticate headers correctly?

Yes. This results in Basic auth being performed:

    WWW-Authenticate: UnknownAuthType realm=Realm1, prop1=value1,
            prop2=value2
    WWW-Authenticate: Basic realm=Realm2

But this does not:

    WWW-Authenticate: UnknownAuthType realm=Realm1, prop1=value1,
            prop2=value2, Basic realm=Realm2

-- Dan

Received on Wednesday, 20 August 2008 13:55:48 UTC