hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raúl Kripalani (JIRA) <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1534) HTTP Digest Authentication does not use cookies sent on challenge
Date Mon, 04 Aug 2014 10:37:11 GMT
Raúl Kripalani created HTTPCLIENT-1534:

             Summary: HTTP Digest Authentication does not use cookies sent on challenge
                 Key: HTTPCLIENT-1534
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1534
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient, HttpCookie
    Affects Versions: 4.3.3
            Reporter: Raúl Kripalani

HTTP Client does not process cookies received from the server on the HTTP 401 challenge that
initiates a Digest Auth procedure.

The server could be sending a cookie related to load balancing, which is crucial to ensure
that the 2nd HTTP request with the challenge response (Authorization) reaches the same application/origin
server that created it. Otherwise, the authentication may fail easily.

Imagine a scenario with a load balancer in front of 4 application servers with shared-nothing,
i.e. no common state.

*Request #1 - Challenge request:*

Client sends a normal HTTP request. Load balancer routes it to node 1 and the client receives
an HTTP 401 with Set-Cookie: LBCOOKIE=123456.node1.

*Request #2 - Final request:*

The client then computes the Authorization header and sends the request again.

However, because it does not include the Cookie, the load balancer routes it to node 3, which
doesn't recognise the Authorization challenge and rejects it again with an HTTP 401.

*Result:* The client never passes authentication.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message