Raúl Kripalani created HTTPCLIENT-1534:
------------------------------------------
Summary: HTTP Digest Authentication does not use cookies sent on
challenge
Key: HTTPCLIENT-1534
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1534
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient, HttpCookie
Affects Versions: 4.3.3
Reporter: Raúl Kripalani
HTTP Client does not process cookies received from the server on the HTTP 401
challenge that initiates a Digest Auth procedure.
The server could be sending a cookie related to load balancing, which is
crucial to ensure that the 2nd HTTP request with the challenge response
(Authorization) reaches the same application/origin server that created it.
Otherwise, the authentication may fail easily.
Imagine a scenario with a load balancer in front of 4 application servers with
shared-nothing, i.e. no common state.
*Request #1 - Challenge request:*
Client sends a normal HTTP request. Load balancer routes it to node 1 and the
client receives an HTTP 401 with Set-Cookie: LBCOOKIE=123456.node1.
*Request #2 - Final request:*
The client then computes the Authorization header and sends the request again.
However, because it does not include the Cookie, the load balancer routes it to
node 3, which doesn't recognise the Authorization challenge and rejects it
again with an HTTP 401.
*Result:* The client never passes authentication.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
