W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Question on Multiplicity of Authorization and WWW-Authenticate

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 16 Apr 2013 14:34:41 +0200
Message-ID: <516D4561.6090300@gmx.de>
To: algermissen1971 <algermissen1971@me.com>
CC: Jan Algermissen <jan.algermissen@nordsc.com>, ietf-http-wg@w3.org
On 2013-04-16 14:11, algermissen1971 wrote:
> On 16.04.2013, at 14:05, Julian Reschke <julian.reschke@gmx.de> wrote:
>> On 2013-04-16 13:55, Jan Algermissen wrote:
>>> Hi,
>>> I was wondering whether there can be multiple Authorization headers in an HTTP request.
>>> AFAIU does not address the question, so I turned to [2] which suggests that there can only be one Authorization header per request. Because Authorization does not have a list value format.
>>> Is that interpretation correct?
>>> I am wondering because I understand [1] to say that WWW-Authenticate can indeed be used multiple times. However, WWW-Authenticate also does not have a list value format but is also not listed as an exception in [2], as is Set-Cookie.
>>> Can anyone clarify?
>>> ...
>> WWW-Authenticate *does* use the list format, so yes, it can be repeated.
> Hmm, is that because the ',' separates the various challanges. So, WWW-Authenticate value is a list of the value of Authorization header, yes?
> Jan

It's because the ABNF uses the "#" list production. And yes, this 
implies that you can either use multiple header field instances, or 
separate multiple values by "," in a single header field.

Best regards, Julian
Received on Tuesday, 16 April 2013 12:35:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC