Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 1/03/2012 1:58 p.m., Henrik Nordström wrote:
> tor 2012-03-01 klockan 13:13 +1300 skrev Adrien de Croy:
>> NTLM could be made non-connection-oriented if http auth had some sort of
>> context attribute that identified the auth conversation (in both
>> challenges and responses), instead of having to associate it with the
>> connection.
> Yes.
>
> Also would have been quite trivial for NTLM/Negotiate to use a hashed
> session cookie similar to how Digest operates. NTLM have shared secrets
> only known to client&  server.
>
> Which is again the question if auth framework should have some kind of
> session concept, or if that belongs in the auth scheme.

I'd lean towards putting it in the framework.  Then implementation 
issues in underlying auth systems can be resolved independently by 
server / proxy vendors without e.g. requiring changes to the underlying OS.

For instance SSPI which is used for auth on windows servers, only takes 
a single handle to identify the particular conversatioon.  It's finding 
this handle in the absence of any other identifying attribute that I'm 
sure led MS to opt for the connection as the place to store it.  
Probably that plus (in thread per connection model) impersonation 
requirements.

Adrien

> Regards
> Henrik
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 is released! - http://www.wingate.com/getlatest/

Received on Thursday, 1 March 2012 01:09:25 UTC