httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Indraneel Sarkar" <ISAR...@novell.com>
Subject [PATCH] HTTP_NOT_MODIFIED (304) and Authentication-Info (bug???)
Date Tue, 01 Oct 2002 16:54:35 GMT
Hi,

Please refer to my earlier post regarding 304 response and the
"Authentication-Info" header. I am resending it in the hope of 
receiving an authoratitive response. 

Is "Authentication-Info" header (as defined in RFC-2617) for
Digest-authentication considered Entity-header? When Apache retuns a
"304 Not Modified", it simply includes "WWW-Authenticate" and
"Proxy-Authenticate" among the authentication related headers
(http_protocol.c:1609 for Apache2, and http_protocol.c:2746 for
Apache-1.3.26). According to RFC-2616, 304 should not include "other
entity headers". Now, if Digest authentication (or any other scheme
that
makes use of Authentication-Info) is enabled for a particular
location,
and the server has to return a 304, this header does not go across.
This
would break the auth info state between the client and the server.
Since
Digest-authentication is an accepted extension to HTTP/1.1, shouldn't
"Authentication-Info" also be sent across?

If it is determined that  "Authentication-Info" needs to be sent across
for a
304 Not Modified response, I am attaching a patch that will do the
needful.


--- http_protocol.c	Thu Sep  5 19:27:48 2002
+++ http_protocol.c	Tue Oct  1 10:49:33 2002
@@ -1618,6 +1618,7 @@
                      "Warning",
                      "WWW-Authenticate",
                      "Proxy-Authenticate",
+                     "Authentication-Info",
                      NULL);
     }
     else {



Thanks,
-Indu


Mime
View raw message