- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Fri, 4 Dec 2009 08:55:10 +0100
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
On Fri, Dec 4, 2009 at 8:38 AM, Daniel Stenberg <daniel@haxx.se> wrote: > On Thu, 3 Dec 2009, Eran Hammer-Lahav wrote: > >> WWW-Autenticate: Basic realm="X1", Digest realm="X1", >> domain="http://example.com", Basic realm="X2" > > I'm hijacking this thread slightly, but I'm still talking a related matter: > > Reading this line it made me think. Is there actually any common servers or > proxies "out there" that merge WWW-Autenticate: or Proxy-Autenticate: > headers to even provide more than one authenticate method in the same header > line? (I mean, yes it is allowed and all but does it actually happen in real > life?) Apache's mod_asis does merge WWW-Authenticate headers: Source: http://hg.ltgt.net/http-cookie-auth/file/tip/tests/basic-and-cookie.asis Live: http://ltgt.net/tests/http-cookie-auth/basic-and-cookie.asis Opera at least is know to get it wrong (even in 10.10): basic-and-cookie [1] will trigger the auth dialog while cookie-and-basic [2] won't (only when combined as a single header though! when sent as two headers, using e.g. [3] it uses Basic in both cases) [1] http://ltgt.net/tests/http-cookie-auth/basic-and-cookie.asis [2] http://ltgt.net/tests/http-cookie-auth/cookie-and-basic.asis [3] http://hg.ltgt.net/http-cookie-auth/file/tip/tests/asis.py -- Thomas Broyer /tɔ.ma.bʁwa.je/
Received on Friday, 4 December 2009 07:55:51 UTC