On Tuesday 30 July 2013 18:28:02 Darshit Shah wrote: > According to RFC 2617, the server may either send multiple WWW-Authenticate > Headers or a single WWW-Authenticate Header with multiple challenges. In > such a case, it is advisable to select the most secure protocol known by > the client for authentication. > > Wget, however uses only the first challenge it sees and begins sending the > challenge response. This can be easily replicated through the > Test-auth-both test in the new Test Environment I'm writing and is > available at: https://www.github.com/darnir/wget-gsoc > > My question is, are we interested in fixing this or do we just let it be?
AFAIK, right now, this is a rare case. And if you stumble upon it in the real world, the auth-schemes involved might or might not include the ones that Wget supports (Basic|Digest). But than, a preference for Digest would be nice and the HTTP header parser should handle both cases (multiple WWW-Authenticate or one with multiple challenges) correctly anyway. So, I vote for 'Yes'. Regards, Tim
