curl-library
Re: Order of HTTP auth schemes
Date: Wed, 27 Mar 2013 15:32:51 -0700
I also think that the server was the issue: if it advertises many
authentication schemes but does not work with all of them, maybe it should
not advertise the ones that it doesn't work with! Was the server a
commonly available one?
YA
On 3/27/13 3:09 PM, "Daniel Stenberg" <daniel_at_haxx.se> wrote:
>On Wed, 27 Mar 2013, Joe Mason wrote:
>
>> When a site advertises several HTTP auth schemes in a 401 response, the
>>user
>> agent is expected to choose the "best" that it supports. The standard
>> practice is to use the order:
>>
>> Negotiate
>> NTLM
>> Digest
>> Basic
>>
>> See
>>http://dev.chromium.org/developers/design-documents/http-authentication,
>> for example:
>
>I've read most of the available HTTP auth specs at least twice. I'm quite
>sure
>that there's no such thing as a prio list anywhere in any HTTP (auth)
>spec.
>
>But sure, Chromium clearly uses that order and since the brower teams
>tend to
>copy each other very closesly I can quickly guess that all the other big
>browsers do it in the same way.
>
>> curl prioritizes "Digest" ahead of "NTLM":
>> What's the reason for this, and would you be open to swapping it?
>
>I came up with our existing order and as I'm not convinced that NTLM is
>automatically a better auth than Digest, I made Digest preferred since it
>A)
>is a real documented standard and B) follows HTTP paradigms that NTLM
>doesn't.
>
>I'm open to changing the order, sure.
>
>> I wonder if there should be an option to set the priorities for each -
>> although I recommend hardcoding BASIC to be the lowest priority.
>
>I've considered but I've never figured out a proper use case for when
>someone
>would actually want a different order. The point of the order is to
>select one
>out of N working ones. It shouldn't be possible to select the wrong one
>from a
>functional stand-point, so the list should really be in a rough "most
>secure"
>order and I can't think of good reasons why the secure order would
>change. Can
>you?
>
>But then we've also had similar considerations for the auth methods for
>some
>of the emailing protocols so possibly there is something we should do
>about
>it.
>
>> I found a server with a broken Digest setup. Every desktop browser I
>>tried
>> used NTLM auth and was able to log in fine, but our curl-based browser
>>chose
>> Digest and the server wouldn't accept any passwords. Users complained.
>
>So it helped you find a problem in that server! ;-P
>
>--
>
> / daniel.haxx.se
>-------------------------------------------------------------------
>List admin: http://cool.haxx.se/list/listinfo/curl-library
>Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-27