- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 30 Jun 2011 06:54:15 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Adrien de Croy <adrien@qbik.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis Group <ietf-http-wg@w3.org>
On Thu, Jun 30, 2011 at 11:02:40AM +1000, Mark Nottingham wrote: > > On 30/06/2011, at 10:52 AM, Adrien de Croy wrote: > > > > > How does auth fit in with this, esp any challenge-response based authentication or connection-oriented auth. > > I think it's well-established that "connection-oriented" authentication is fundamentally incompatible with HTTP, and shouldn't be attempted. Yes, NTLM does it, and that causes *significant* problems in all of the implementations I'm aware of. +1. Some proxies reduce their keep-alive timeout when overloaded, resulting in NTLM auth not working over them under high loads ! Also, any "connection-oriented" authentication results in wrong authentication when a proxy is present before the authenticating component. I remember a customer where the outgoing proxy used to work that way, and browsing accounts were very expensive so very few people had them. A few people I was working with decided to install a proxy which used only one persistent connection, and provided free access to a number of coworkers :-) And now with more and more components able to multiplex requests over connection pools, connection-oriented authentication is quite dangerous. NTLM could fix this design issue by making the client present sort of a cookie to the server during and after auth. Regards, Willy
Received on Thursday, 30 June 2011 04:54:56 UTC