Re: stale=true in digest auth



Jari Urpalainen wrote:
> Hi !
> 
> Current library emits REAUTHENTICATE signal when the WWW-authenticate
> header contains stale=true. Included a patch which changes this to the
> AUTHENTICATE signal which is imo the right behavior.

Huh. I never knew about the "stale" flag. (I didn't write the original
Digest code, and haven't modified it that much since it was written...)

But there are two problems with this patch: first, emitting
"authenticate" is wrong too; it shouldn't be asking the app for the
password again at all, it should just be recomputing the digest response
from the existing password. Second, the patch puts Digest-specific
knowledge into SoupSession, which is inelegant...

The right fix is to fix SoupSession so that instead of always replacing
the old auth with the new auth, it calls some SoupAuth method instead to
merge the two together (and then the SoupAuthDigest implementation of
that would do the right thing with "stale").

And then we need a regression test to make sure this stays fixed in the
future.

So anyway, thanks for the report. I'm not taking this patch as is, but
I'm working on the bug and will hopefully have it fixed soon.

-- Dan



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]