Is "Authentication-Info" header (as defined in RFC-2617) for Digest-authentication considered Entity-header? When Apache retuns a "304 Not Modified", it simply includes "WWW-Authenticate" and "Proxy-Authenticate" among the authentication related headers (http_protocol.c:1609 for Apache2, and http_protocol.c:2746 for Apache-1.3.26). According to RFC-2616, 304 should not include "other entity headers". Now, if Digest authentication (or any other scheme that makes use of Authentication-Info) is enabled for a particular location, and the server has to return a 304, this header does not go across. This would break the auth info state between the client and the server. Since Digetst-authentication is an accepted extension to HTTP/1.1, shouldn't "Authentication-Info" also be sent across?
Thanks, -Indu
