W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: #288: Considering messages in isolation

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 30 Jun 2011 06:54:15 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Adrien de Croy <adrien@qbik.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis Group <ietf-http-wg@w3.org>
Message-ID: <20110630045415.GB26670@1wt.eu>
On Thu, Jun 30, 2011 at 11:02:40AM +1000, Mark Nottingham wrote:
> 
> On 30/06/2011, at 10:52 AM, Adrien de Croy wrote:
> 
> > 
> > How does auth fit in with this, esp any challenge-response based authentication or connection-oriented auth.
> 
> I think it's well-established that "connection-oriented" authentication is fundamentally incompatible with HTTP, and shouldn't be attempted. Yes, NTLM does it, and that causes *significant* problems in all of the implementations I'm aware of.

+1. Some proxies reduce their keep-alive timeout when overloaded,
resulting in NTLM auth not working over them under high loads ! Also,
any "connection-oriented" authentication results in wrong authentication
when a proxy is present before the authenticating component. I remember
a customer where the outgoing proxy used to work that way, and browsing
accounts were very expensive so very few people had them. A few people
I was working with decided to install a proxy which used only one
persistent connection, and provided free access to a number of
coworkers :-)

And now with more and more components able to multiplex requests over
connection pools, connection-oriented authentication is quite dangerous.

NTLM could fix this design issue by making the client present sort of
a cookie to the server during and after auth.

Regards,
Willy
Received on Thursday, 30 June 2011 04:54:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:42 GMT