httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Indraneel Sarkar" <>
Subject HTTP_NOT_MODIFIED (304) and Authentication-Info
Date Fri, 27 Sep 2002 19:55:43 GMT
Is "Authentication-Info" header (as defined in RFC-2617) for
Digest-authentication considered Entity-header? When Apache retuns a
"304 Not Modified", it simply includes "WWW-Authenticate" and
"Proxy-Authenticate" among the authentication related headers
(http_protocol.c:1609 for Apache2, and http_protocol.c:2746 for
Apache-1.3.26). According to RFC-2616, 304 should not include "other
entity headers". Now, if Digest authentication (or any other scheme that
makes use of Authentication-Info) is enabled for a particular location,
and the server has to return a 304, this header does not go across. This
would break the auth info state between the client and the server. Since
Digetst-authentication is an accepted extension to HTTP/1.1, shouldn't
"Authentication-Info" also be sent across?


View raw message