- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 30 Jun 2011 11:04:04 +0200
- To: Adrien de Croy <adrien@qbik.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Julian Reschke <julian.reschke@gmx.de>, httpbis Group <ietf-http-wg@w3.org>
On Thu, Jun 30, 2011 at 07:54:42PM +1200, Adrien de Croy wrote: > What action if any that leaves us with now is another matter. Perhaps > we should make some note somewhere, or explicitly deal with the case. > For instance state somewhere that the assumption that requests are > unrelated no longer holds if a particular header is present, indicating > the use of session-based authentication for instance. This would be very dangerous, however probably we should document existing incompatibilities with the rule (eg: NTLM auth) so that implementers are aware of this and plan on being able to adapt to this mode by configuration, which implies more than just keeping the 1-to-1 association between client and server connection, as it also means that connections should not be dropped too often, and almost never during the challenge. But I agree with you that stating that this erroneous behaviour should not be done will not suddenly make NTLM auth disappear with its associated issues. Regards, Willy
Received on Thursday, 30 June 2011 09:04:35 UTC