I have a functioning DAA implementation as part of my wsgi app.
Everything works perfectly, EXCEPT:
Firefox ignores the "domain" field, a part of the "WWW-Authenticate"
header.
The uri "/home" when accessed by a client initiates the
authentication.
The following response body links to media at "/sys/files". What I
want
is for the authenticated session to "tick" ONLY when anything from
"/home" is being accessed, but I don't want every request to "/sys" or
anything else for that matter to recieve the "Authorization" header.
I've studied RFC 2617 (blech) and googled about like a madman to no
avail. Here's the header exchange which demonstrates the problem:
GET /home HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:
1.9.0.5)
Gecko/2008123017 GranParadiso/3.0.5
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.x 401 Unauthorized
Date: Sun, 18 Jan 2009 01:09:19 GMT
Server: Apache/2.2.9 (Debian) mod_wsgi/2.3 Python/2.5.2
WWW-Authenticate: Digest realm="[email protected]", domain="/
home",
qop="auth", nonce="0cb08fa15f0fd59f372cc024f9b0d291",
opaque="be2c6a51ff6cc54a607aab46e6b6f408"
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain
GET /home HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:
1.9.0.5)
Gecko/2008123017 GranParadiso/3.0.5
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Pragma: no-cache, no-cache
Cache-Control: no-cache, no-cache
Authorization: Digest username="johan",
realm="[email protected]",
nonce="0cb08fa15f0fd59f372cc024f9b0d291", uri="/home",
response="68fce728eb5f1cc04e43a8b1a5f19a80",
opaque="be2c6a51ff6cc54a607aab46e6b6f408", qop=auth,
nc=00000001, cnonce="1591d58dc97956dc"
HTTP/1.x 200 OK
Date: Sun, 18 Jan 2009 01:09:24 GMT
Server: Apache/2.2.9 (Debian) mod_wsgi/2.3 Python/2.5.2
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
GET /sys/files/prototype.js HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:
1.9.0.5)
Gecko/2008123017 GranParadiso/3.0.5
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.10.1/home
Authorization: Digest username="johan",
realm="[email protected]",
nonce="0cb08fa15f0fd59f372cc024f9b0d291",
uri="/sys/files/prototype.js",
response="3734368c5159a4b4c4b546b375e65055",
opaque="be2c6a51ff6cc54a607aab46e6b6f408", qop=auth,
nc=00000002, cnonce="4ceeed47b224b8b9"
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.x 200 OK
Date: Sun, 18 Jan 2009 01:09:24 GMT
Server: Apache/2.2.9 (Debian) mod_wsgi/2.3 Python/2.5.2
Content-Length: 124000
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/x-c; charset=utf-8
Firefox's third request clearly contains the "Authorization" header
despite the requested uri clearly being outside of the "domain"
decleared in "WWW-Authenticate". What gives? This crap happens even if
I'm accessing http://192.168.10.1/sys/files/water.jpg in a separate
tab
directly and thus not providing the "Referer" header.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en
-~----------~----~----~----~------~----~------~--~---
