(Sorry for my last message, I click "Send" before I wrote anything on it!)
Maurizio Lotauro wrote:
> Are you sure? I quickly reread the rfc and it say that more that one
> could be specified in the header, but a challenge is defined as
> challenge = auth-scheme 1*SP 1#auth-param
Yes, I am sure. It says that the "auth-scheme" token must be at least
one valid authentication mechanism, and specifies that they should be
listed in the order of preference.
> So the question is if the Basic must be specified after tha last parameter of
In that case, it means that Digest is supported, and preferred over
Basic, but that Basic will be allowed if the client does not support Digest.
> In any case the realm is defined as quoted-string but in the above header is
> written without quote.
In my example, it was (realm="foo"). It refers to the value of the
realm, which must be a quoted-string, not the parameter name itself.
> As side note, the THttpCli doesn't expect more than one challenge per header.
> How often is used from servers to specify more that one challenge per header?
I don't think it is very often. I mean, for example, if you require
Digest, why would you allow Basic? And more often than not, clients
merely support Basic and nothing else, except in proprietary
environments, in which case, you then specify the *only* mechanism that
you will support.
But still, it is specified in the RFC, and even emphasized on a side
note as a caveat, so I believe it should be implemented, just to be
fully compliant. Eventually. :)
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be