Re: #288: Considering messages in isolation

On Thu, Jun 30, 2011 at 07:54:42PM +1200, Adrien de Croy wrote:
> What action if any that leaves us with now is another matter.  Perhaps 
> we should make some note somewhere, or explicitly deal with the case.  
> For instance state somewhere that the assumption that requests are 
> unrelated no longer holds if a particular header is present, indicating 
> the use of session-based authentication for instance.

This would be very dangerous, however probably we should document existing
incompatibilities with the rule (eg: NTLM auth) so that implementers are
aware of this and plan on being able to adapt to this mode by configuration,
which implies more than just keeping the 1-to-1 association between client
and server connection, as it also means that connections should not be
dropped too often, and almost never during the challenge.

But I agree with you that stating that this erroneous behaviour should not
be done will not suddenly make NTLM auth disappear with its associated
issues.

Regards,
Willy

Received on Thursday, 30 June 2011 09:04:35 UTC