Opened 11 years ago

Closed 11 years ago

#2103 defect closed duplicate (duplicate)

http DIGEST authentication forced on each page refresh

Reported by: Cyrus Daboo Owned by:
Priority: high Milestone:
Component: web2 Keywords:
Cc: Branch:
Author:

Description

When using DIGEST authentication, a browser is forced to prompt the user for id/password each time a page is refereshed wven after a previous successful auth to that page. The problem is caused by the use of the 'opaque' parameter in the DIGEST operation - Twisted changes this for each request, but clients cache that value and retry/refresh a request using the cached value - that fails and another auth is forced.

Two solutions:

1) Do away with 'opaque' altogether. 2) Use a scheme to cache the opaque value for longer periods of time rather than throw it away after successful auth. A good example of this is in apache mod_auth_digest which keeps a per-client 'opaque' parameter in a garbage collected map.

Change History (2)

comment:1 Changed 11 years ago by David Reid

Resolution: duplicate
Status: newclosed

comment:2 Changed 7 years ago by <automation>

Owner: David Reid deleted
Note: See TracTickets for help on using tickets.