W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Multiple challenges in a single WWW-Authenticate header field

From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 4 Dec 2009 08:55:10 +0100
Message-ID: <a9699fd20912032355u5318d81dy7b9ee6f5b3b92925@mail.gmail.com>
To: Daniel Stenberg <daniel@haxx.se>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
On Fri, Dec 4, 2009 at 8:38 AM, Daniel Stenberg <daniel@haxx.se> wrote:
> On Thu, 3 Dec 2009, Eran Hammer-Lahav wrote:
>> WWW-Autenticate: Basic realm="X1", Digest realm="X1",
>> domain="http://example.com", Basic realm="X2"
> I'm hijacking this thread slightly, but I'm still talking a related matter:
> Reading this line it made me think. Is there actually any common servers or
> proxies "out there" that merge WWW-Autenticate: or Proxy-Autenticate:
> headers to even provide more than one authenticate method in the same header
> line? (I mean, yes it is allowed and all but does it actually happen in real
> life?)

Apache's mod_asis does merge WWW-Authenticate headers:
Source: http://hg.ltgt.net/http-cookie-auth/file/tip/tests/basic-and-cookie.asis
Live: http://ltgt.net/tests/http-cookie-auth/basic-and-cookie.asis

Opera at least is know to get it wrong (even in 10.10):
basic-and-cookie [1] will trigger the auth dialog while
cookie-and-basic [2] won't (only when combined as a single header
though! when sent as two headers, using e.g. [3] it uses Basic in both
[1] http://ltgt.net/tests/http-cookie-auth/basic-and-cookie.asis
[2] http://ltgt.net/tests/http-cookie-auth/cookie-and-basic.asis
[3] http://hg.ltgt.net/http-cookie-auth/file/tip/tests/asis.py

Thomas Broyer
Received on Friday, 4 December 2009 07:55:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC