Return-Path: 
 <dev-return-33605-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 52989 invoked by uid 500); 27 Sep 2002 19:59:14 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Delivered-To: moderator for dev@httpd.apache.org
Received: (qmail 49379 invoked from network); 27 Sep 2002 19:55:43 -0000
Message-Id: <sd946364.060@prv-mail20.provo.novell.com>
X-Mailer: Novell GroupWise Internet Agent 6.0.2 Beta
Date: Fri, 27 Sep 2002 13:55:43 -0600
From: "Indraneel Sarkar" <ISARKAR@novell.com>
To: <apache-modules@covalent.net>,<dev@httpd.apache.org>
Subject: HTTP_NOT_MODIFIED (304) and Authentication-Info
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Rating: daedalus.apache.org 1.6.2 500/1000/N

Is "Authentication-Info" header (as defined in RFC-2617) for
Digest-authentication considered Entity-header? When Apache retuns a
"304 Not Modified", it simply includes "WWW-Authenticate" and
"Proxy-Authenticate" among the authentication related headers
(http_protocol.c:1609 for Apache2, and http_protocol.c:2746 for
Apache-1.3.26). According to RFC-2616, 304 should not include "other
entity headers". Now, if Digest authentication (or any other scheme that
makes use of Authentication-Info) is enabled for a particular location,
and the server has to return a 304, this header does not go across. This
would break the auth info state between the client and the server. Since
Digetst-authentication is an accepted extension to HTTP/1.1, shouldn't
"Authentication-Info" also be sent across?

Thanks,
-Indu