WWW-Authenticate header

Maxim Dounin mdounin at mdounin.ru
Fri Jan 10 13:49:46 UTC 2014


On Fri, Jan 10, 2014 at 05:42:23PM +0530, Fasih wrote:

> Hi
> RFC allows a server to respond with multiple WWW-Authenticate header (
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47).
> "User agents are advised to take special care in parsing the WWW-
> Authenticate field value as it might contain more than one challenge, or if
> more than one WWW-Authenticate header field is provided, the contents of a
> challenge itself can contain a comma-separated list of authentication
> parameters."
> However nginx defines WWW-Authenticate header as an ngx_table_elt_t in
> the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other
> allowed repeated value headers.
> Is this a bug that I should file?

Have you seen this to be a problem in real life?

Maxim Dounin

More information about the nginx-devel mailing list