W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Question on Multiplicity of Authorization and WWW-Authenticate

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 16 Apr 2013 14:05:41 +0200
Message-ID: <516D3E95.6050202@gmx.de>
To: Jan Algermissen <jan.algermissen@nordsc.com>
CC: ietf-http-wg@w3.org
On 2013-04-16 13:55, Jan Algermissen wrote:
> Hi,
>
> I was wondering whether there can be multiple Authorization headers in an HTTP request.
>
> AFAIU does not address the question, so I turned to [2] which suggests that there can only be one Authorization header per request. Because Authorization does not have a list value format.
>
> Is that interpretation correct?
>
> I am wondering because I understand [1] to say that WWW-Authenticate can indeed be used multiple times. However, WWW-Authenticate also does not have a list value format but is also not listed as an exception in [2], as is Set-Cookie.
>
> Can anyone clarify?
> ...

WWW-Authenticate *does* use the list format, so yes, it can be repeated.

And no, Authorization does not.

Best regards, Julian
Received on Tuesday, 16 April 2013 12:06:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC