- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 16 Apr 2013 14:34:41 +0200
- To: algermissen1971 <algermissen1971@me.com>
- CC: Jan Algermissen <jan.algermissen@nordsc.com>, ietf-http-wg@w3.org
On 2013-04-16 14:11, algermissen1971 wrote: > > On 16.04.2013, at 14:05, Julian Reschke <julian.reschke@gmx.de> wrote: > >> On 2013-04-16 13:55, Jan Algermissen wrote: >>> Hi, >>> >>> I was wondering whether there can be multiple Authorization headers in an HTTP request. >>> >>> AFAIU does not address the question, so I turned to [2] which suggests that there can only be one Authorization header per request. Because Authorization does not have a list value format. >>> >>> Is that interpretation correct? >>> >>> I am wondering because I understand [1] to say that WWW-Authenticate can indeed be used multiple times. However, WWW-Authenticate also does not have a list value format but is also not listed as an exception in [2], as is Set-Cookie. >>> >>> Can anyone clarify? >>> ... >> >> WWW-Authenticate *does* use the list format, so yes, it can be repeated. > > Hmm, is that because the ',' separates the various challanges. So, WWW-Authenticate value is a list of the value of Authorization header, yes? > > Jan It's because the ABNF uses the "#" list production. And yes, this implies that you can either use multiple header field instances, or separate multiple values by "," in a single header field. Best regards, Julian
Received on Tuesday, 16 April 2013 12:35:15 UTC