cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Order of HTTP auth schemes

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 27 Mar 2013 23:09:24 +0100 (CET)

On Wed, 27 Mar 2013, Joe Mason wrote:

> When a site advertises several HTTP auth schemes in a 401 response, the user
> agent is expected to choose the "best" that it supports. The standard
> practice is to use the order:
>
> Negotiate
> NTLM
> Digest
> Basic
>
> See http://dev.chromium.org/developers/design-documents/http-authentication,
> for example:

I've read most of the available HTTP auth specs at least twice. I'm quite sure
that there's no such thing as a prio list anywhere in any HTTP (auth) spec.

But sure, Chromium clearly uses that order and since the brower teams tend to
copy each other very closesly I can quickly guess that all the other big
browsers do it in the same way.

> curl prioritizes "Digest" ahead of "NTLM":
> What's the reason for this, and would you be open to swapping it?

I came up with our existing order and as I'm not convinced that NTLM is
automatically a better auth than Digest, I made Digest preferred since it A)
is a real documented standard and B) follows HTTP paradigms that NTLM doesn't.

I'm open to changing the order, sure.

> I wonder if there should be an option to set the priorities for each -
> although I recommend hardcoding BASIC to be the lowest priority.

I've considered but I've never figured out a proper use case for when someone
would actually want a different order. The point of the order is to select one
out of N working ones. It shouldn't be possible to select the wrong one from a
functional stand-point, so the list should really be in a rough "most secure"
order and I can't think of good reasons why the secure order would change. Can
you?

But then we've also had similar considerations for the auth methods for some
of the emailing protocols so possibly there is something we should do about
it.

> I found a server with a broken Digest setup. Every desktop browser I tried
> used NTLM auth and was able to log in fine, but our curl-based browser chose
> Digest and the server wouldn't accept any passwords. Users complained.

So it helped you find a problem in that server! ;-P

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-27