WWW-Authenticate header

Maxim Dounin mdounin at mdounin.ru
Mon Jan 13 15:38:27 UTC 2014


Hello!

On Sat, Jan 11, 2014 at 10:28:52PM +0530, Fasih wrote:

> Yes, that's how I noticed it. I am using nginx as a reverse proxy. The
> upstream sends two WWW-Authenticate headers with different realms. I was
> processing www_authenticate header and hadnt realized that it was legal to
> send multiple WWW-Authenticate headers.

Looks like there are indeed valid real-world uses, see e.g. here:

http://stackoverflow.com/a/15894841/1597813

I don't think we want to change www_authenticate to ngx_array_t, 
but it certainly counts as another case requiring better support 
for multiple headers, much like with $upstream_http_set_cookie and 
multiple Set-Cookie headers, and so on.

> 
> On Fri, Jan 10, 2014 at 7:19 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> > Hello!
> >
> > On Fri, Jan 10, 2014 at 05:42:23PM +0530, Fasih wrote:
> >
> > > Hi
> > >
> > > RFC allows a server to respond with multiple WWW-Authenticate header (
> > > http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47).
> > >
> > > "User agents are advised to take special care in parsing the WWW-
> > > Authenticate field value as it might contain more than one challenge, or
> > if
> > > more than one WWW-Authenticate header field is provided, the contents of
> > a
> > > challenge itself can contain a comma-separated list of authentication
> > > parameters."
> > >
> > > However nginx defines WWW-Authenticate header as an ngx_table_elt_t in
> > > the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other
> > > allowed repeated value headers.
> > >
> > > Is this a bug that I should file?
> >
> > Have you seen this to be a problem in real life?
> >
> > --
> > Maxim Dounin
> > http://nginx.org/
> >
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> >

> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel


-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list