hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HTTPCLIENT-1534) HTTP Digest Authentication does not use cookies sent on challenge
Date Mon, 04 Aug 2014 15:09:12 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Oleg Kalnichevski resolved HTTPCLIENT-1534.

    Resolution: Duplicate

> HTTP Digest Authentication does not use cookies sent on challenge
> -----------------------------------------------------------------
>                 Key: HTTPCLIENT-1534
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1534
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient, HttpCookie
>    Affects Versions: 4.3.3
>            Reporter: Raúl Kripalani
> HTTP Client does not process cookies received from the server on the HTTP 401 challenge
that initiates a Digest Auth procedure.
> The server could be sending a cookie related to load balancing, which is crucial to ensure
that the 2nd HTTP request with the challenge response (Authorization) reaches the same application/origin
server that created it. Otherwise, the authentication may fail easily.
> Imagine a scenario with a load balancer in front of 4 application servers with shared-nothing,
i.e. no common state.
> *Request #1 - Challenge request:*
> Client sends a normal HTTP request. Load balancer routes it to node 1 and the client
receives an HTTP 401 with Set-Cookie: LBCOOKIE=123456.node1.
> *Request #2 - Final request:*
> The client then computes the Authorization header and sends the request again.
> However, because it does not include the Cookie, the load balancer routes it to node
3, which doesn't recognise the Authorization challenge and rejects it again with an HTTP 401.
> *Result:* The client never passes authentication.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message