You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Indraneel Sarkar <IS...@novell.com> on 2002/10/01 18:54:35 UTC
[PATCH] HTTP_NOT_MODIFIED (304) and Authentication-Info
(bug???)
Hi,
Please refer to my earlier post regarding 304 response and the
"Authentication-Info" header. I am resending it in the hope of
receiving an authoratitive response.
Is "Authentication-Info" header (as defined in RFC-2617) for
Digest-authentication considered Entity-header? When Apache retuns a
"304 Not Modified", it simply includes "WWW-Authenticate" and
"Proxy-Authenticate" among the authentication related headers
(http_protocol.c:1609 for Apache2, and http_protocol.c:2746 for
Apache-1.3.26). According to RFC-2616, 304 should not include "other
entity headers". Now, if Digest authentication (or any other scheme
that
makes use of Authentication-Info) is enabled for a particular
location,
and the server has to return a 304, this header does not go across.
This
would break the auth info state between the client and the server.
Since
Digest-authentication is an accepted extension to HTTP/1.1, shouldn't
"Authentication-Info" also be sent across?
If it is determined that "Authentication-Info" needs to be sent across
for a
304 Not Modified response, I am attaching a patch that will do the
needful.
--- http_protocol.c Thu Sep 5 19:27:48 2002
+++ http_protocol.c Tue Oct 1 10:49:33 2002
@@ -1618,6 +1618,7 @@
"Warning",
"WWW-Authenticate",
"Proxy-Authenticate",
+ "Authentication-Info",
NULL);
}
else {
Thanks,
-Indu