On Fri, 2011-08-26 at 12:23 +0200, David Kocher wrote: > On 24.08.2011, at 20:40, Oleg Kalnichevski wrote: > > > On Wed, 2011-08-24 at 16:46 +0000, Fredrik Jonson wrote: > >> Oleg Kalnichevski wrote: > >> > >>> I contend that preemptive authentication is conceptually flawed and poses > >>> major security risks in the overwhelming majority of cases. > >> > >> What is it that is conceptually flawed with using preemtive authentication, > >> when you with certainty know the http request that is about to be performed > >> always will require authentication? > >> > > > > The overhead of letting the first request in a session to get challenged > > by the origin server and caching the authentication state for the rest > > of the session is virtually negligible. The whole idea of using > > preemptive authentication to order to save one HTTP round-trip is a > > complete and utter idiocy. > > A common scenario where this is not possible is when the server does not > support 100-continue expectation and the the PUT request entity is not > repeatable. >
Even in this case you will be much better off by executing a GET or a HEAD prior to executing a complex POST in order to force authentication with the site and later reusing cached authentication state for subsequent request(s). Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
