- From: Adrien de Croy <adrien@qbik.com>
- Date: Wed, 05 Oct 2011 22:16:30 +1300
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi all, I'm hoping someone can help here. I've been trawling RFC2616 and 2617 for clarity on an issue a customer is having. They have an AV product that does updates using HTTP, and has configuration settings for a proxy, and settings to enable/disable proxy auth and supply credentials. The problem is the software sends Proxy-Authorization in all requests, using Basic, and no user/pass - just a base64 encoded ':' Since the credentials are empty, we fail authorization, even though policy didn't require authorization, the existence of the Proxy-Authorization header in the request triggered our auth code. The reason we go straight into our auth code on the existence of this header, is because with Basic auth, the client will commonly re-use the credentials it previously successfully validated, and going straight to check the creds saves a 407 and round trip. I'm struggling to find any language in 2616 and 2617 that states that a Proxy-Authorization with empty creds is invalid, although it seems like an incredibly bad idea. The customer contacted the vendor of the offending software, and they said it's by design and not considered a bug. Maybe we need to clarify this going forward? I think a client shouldn't send P-A unless they wish to authenticate, and shouldn't send Basic creds without clear directive from the user (since it's a potential credential leak). Adrien -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Wednesday, 5 October 2011 09:17:10 UTC