> There is just that little issue (more a kind of favour) that I mentioned > under > as 2. : When the server does not mention 'algorithm' in WWW-Authenticate:, > should we introduce it in the clients Authenticate: Header ? I can't say > what > is better... RFC 2069 and RFC 2617 leave it open. > At least we would introduce an additional (unneeded) xstrdup/free. > > Yes. Even I've been giving this some thought. Should we or should we not include the algorithm attribute in the Authorization Header when it wasn't a part of the response? As Tim mentioned, RFC 2069 and RFC 2617 both state nothing about this attribute.
I don't see the harm in sending it anyways. The Server should simply ignore it. -- Thanking You, Darshit Shah
