- From: John Franks <john@math.nwu.edu>
- Date: Fri, 15 Mar 1996 08:33:11 -0600 (CST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Mon, 11 Mar 1996, Paul Leach wrote: > > Interesting. What happens if I do this: > GET /secret.txt HTTP/1.1 > Authorization: uri="/public.txt", > username="fred", realm="www.foo.com", > nonce="deadbeef", response="0123456789abcdef0123456789abcdef" > > If the server checks the authorization header and its URI, but then > uses the URI from the Request-URI in the request line, the whole > exercise will have been wasted. > And if proxies are allowed to munge the URI in unknown ways, the server > can't compare the request-URI with the uri in the Authorization header. > > The Digest draft should say the the server MUST use the URI from the > Authorization header, as that is the only one that has been authenticated. > The latest draft I sent you addresses this as follows: "The authenticating server must assure that the document designated by the "uri" field is the the same as the document served. The purpose of duplicating information from the request URL in this field is to deal with the possibility that an intermediate proxy may alter the client's request. This altered (but presumably semantically equivalent) request would not result in the same digest as that calculated by the client." John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Friday, 15 March 1996 18:06:48 UTC