Description:
As described in issue [2202], for each request we make, we get a new [401|407] message with a new nonce (depending if we're talking about a proxy with digest authentication or a web server). Then we generate another authenticated request using that nonce. For Digest authentication session to be fully supported, we should be adding a [WWW|Proxy]-Authenticate header in each following request we made to the server using the last nonce sent by the server. This will reduce the amount of requests performed, improving the performance.
How common browsers behaves:
Browsers implements authentication session by reusing the last nonce received from the web server for a given domain and Realm. When a request is made to a new URL from the same domain, the browsers doesn't know if that URL belongs to the same Realm. If the new URL is a sub-url of any other known URL on that Realm, the browsers add the Authorization header to new request. If they can't infer the Realm with this method, the Request is sent without the header. If the new URL do belongs to the Realm, the Browsers uses the nonce included in the response from the sever (with a 401 status code) to make new requests to URLs belonging to that Realm.
Regarding proxies with Digest authentication, browsers reuse the last nonce for every request made through the proxy.
For example:
URL1 redirects to URL2 and URL2 redirects to URL3:
Notes:
-> = request
<- = response
N = nonce
C = client nonce
NC = nonce count
---------------------------
[1]
URL1: http://domain/1/1.htm
URL2: http://domain/2/1.htm
URL3: http://domain/1/2.htm
-> GET URL1
<- 401 N1
-> GET URL1 N1 C1 NC1
<- 301 URL2
-> GET URL2
<- 401 N2
-> GET URL2 N2 C2 NC1
<- 301 URL3
-> GET URL3 N2 C2 NC2
<- 200
---------------------------
[2]
URL1: http://domain/1.htm
URL2: http://domain/1/1.htm
URL3: http://domain/2/1.htm
-> GET URL1
<- 401 N1
-> GET URL1 N1 C1 NC1
<- 301 URL2
-> GET URL2 N1 C1 NC2
<- 301 URL3
-> GET URL3 N1 C1 NC3
<- 200
About the patch:
I've added a 'http_request' to 'AbstractDigestAuthHandler' to add the '*-Authenticate' header before performing the requests.
There is a known problem with this patch: we generate a new AuthenticationSession against digest proxies when we are redirected to another page (with a 30X code), instead of re-using the previous session (first we send the redirected request without the authentication handler, we receive a new 407 code, and then we send the redirected request again with the new authentication handler). This is caused because of the execution order of handlers:
- RedirectHandler generates a new request and calls to self.parent.open
- ProxyDigestAuthHandler tries to find an AuthenticationSession for that request but fails ('Request.get_host' returns the web server host)
- ProxyHandler modifies the request (now 'Request.get_host' returns the proxy host)
Comments are more than welcome!!
|
➜
