WWW-Authenticate header

Fasih faskiri.devel at gmail.com
Sat Jan 11 16:58:52 UTC 2014


Yes, that's how I noticed it. I am using nginx as a reverse proxy. The
upstream sends two WWW-Authenticate headers with different realms. I was
processing www_authenticate header and hadnt realized that it was legal to
send multiple WWW-Authenticate headers.


On Fri, Jan 10, 2014 at 7:19 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Fri, Jan 10, 2014 at 05:42:23PM +0530, Fasih wrote:
>
> > Hi
> >
> > RFC allows a server to respond with multiple WWW-Authenticate header (
> > http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47).
> >
> > "User agents are advised to take special care in parsing the WWW-
> > Authenticate field value as it might contain more than one challenge, or
> if
> > more than one WWW-Authenticate header field is provided, the contents of
> a
> > challenge itself can contain a comma-separated list of authentication
> > parameters."
> >
> > However nginx defines WWW-Authenticate header as an ngx_table_elt_t in
> > the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other
> > allowed repeated value headers.
> >
> > Is this a bug that I should file?
>
> Have you seen this to be a problem in real life?
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140111/b66f8e48/attachment.html>


More information about the nginx-devel mailing list