You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Indraneel Sarkar <IS...@novell.com> on 2002/09/27 21:55:43 UTC

HTTP_NOT_MODIFIED (304) and Authentication-Info

Is "Authentication-Info" header (as defined in RFC-2617) for
Digest-authentication considered Entity-header? When Apache retuns a
"304 Not Modified", it simply includes "WWW-Authenticate" and
"Proxy-Authenticate" among the authentication related headers
(http_protocol.c:1609 for Apache2, and http_protocol.c:2746 for
Apache-1.3.26). According to RFC-2616, 304 should not include "other
entity headers". Now, if Digest authentication (or any other scheme that
makes use of Authentication-Info) is enabled for a particular location,
and the server has to return a 304, this header does not go across. This
would break the auth info state between the client and the server. Since
Digetst-authentication is an accepted extension to HTTP/1.1, shouldn't
"Authentication-Info" also be sent across?

Thanks,
-Indu