Re: #288: Considering messages in isolation

On Thu, Jun 30, 2011 at 07:54:42PM +1200, Adrien de Croy wrote:
> What action if any that leaves us with now is another matter.  Perhaps 
> we should make some note somewhere, or explicitly deal with the case.  
> For instance state somewhere that the assumption that requests are 
> unrelated no longer holds if a particular header is present, indicating 
> the use of session-based authentication for instance.

This would be very dangerous, however probably we should document existing
incompatibilities with the rule (eg: NTLM auth) so that implementers are
aware of this and plan on being able to adapt to this mode by configuration,
which implies more than just keeping the 1-to-1 association between client
and server connection, as it also means that connections should not be
dropped too often, and almost never during the challenge.

But I agree with you that stating that this erroneous behaviour should not
be done will not suddenly make NTLM auth disappear with its associated


Received on Thursday, 30 June 2011 09:04:35 UTC