Re: #288: Considering messages in isolation

On Thu, Jun 30, 2011 at 11:02:40AM +1000, Mark Nottingham wrote:
> On 30/06/2011, at 10:52 AM, Adrien de Croy wrote:
> > 
> > How does auth fit in with this, esp any challenge-response based authentication or connection-oriented auth.
> I think it's well-established that "connection-oriented" authentication is fundamentally incompatible with HTTP, and shouldn't be attempted. Yes, NTLM does it, and that causes *significant* problems in all of the implementations I'm aware of.

+1. Some proxies reduce their keep-alive timeout when overloaded,
resulting in NTLM auth not working over them under high loads ! Also,
any "connection-oriented" authentication results in wrong authentication
when a proxy is present before the authenticating component. I remember
a customer where the outgoing proxy used to work that way, and browsing
accounts were very expensive so very few people had them. A few people
I was working with decided to install a proxy which used only one
persistent connection, and provided free access to a number of
coworkers :-)

And now with more and more components able to multiplex requests over
connection pools, connection-oriented authentication is quite dangerous.

NTLM could fix this design issue by making the client present sort of
a cookie to the server during and after auth.


Received on Thursday, 30 June 2011 04:54:56 UTC