Re: #288: Considering messages in isolation

Revised proposal:

"""
Recipients MUST consider every message in a connection in isolation; because HTTP is a stateless protocol, it cannot be assumed that two requests on the same connection are from the same client or share any other common attributes. In particular, intermediaries might mix requests from different clients into a single server connection. Note that some existing HTTP extensions (e.g., [RFC4559]) violate this requirement, thereby potentially causing interoperability and security problems.
"""


On 30/06/2011, at 7:04 PM, Willy Tarreau wrote:

> On Thu, Jun 30, 2011 at 07:54:42PM +1200, Adrien de Croy wrote:
>> What action if any that leaves us with now is another matter.  Perhaps 
>> we should make some note somewhere, or explicitly deal with the case.  
>> For instance state somewhere that the assumption that requests are 
>> unrelated no longer holds if a particular header is present, indicating 
>> the use of session-based authentication for instance.
> 
> This would be very dangerous, however probably we should document existing
> incompatibilities with the rule (eg: NTLM auth) so that implementers are
> aware of this and plan on being able to adapt to this mode by configuration,
> which implies more than just keeping the 1-to-1 association between client
> and server connection, as it also means that connections should not be
> dropped too often, and almost never during the challenge.
> 
> But I agree with you that stating that this erroneous behaviour should not
> be done will not suddenly make NTLM auth disappear with its associated
> issues.
> 
> Regards,
> Willy
> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 1 July 2011 04:59:09 UTC