Scrive Arno Garrels <>:

> Maurizio Lotauro wrote:
> >> Digest authentication requires at least one server challenge per
> >> protection space (realm). This is similar to basic authentication
> >> which may use a realm as challenge (currently not supported by basic
> >> in both THttpCli and THttpServer).
> > 
> > The last sentence is not clear to me, can you explain?
> This was not quite correct since the THttpServer actually allows to
> specify a realm with basic authentication as well.

The server must send a realm:

RFC 2617
1.2 Access Authentication Framework
The realm directive (case-insensitive) is required for all
authentication schemes that issue a challenge.

> However it is not easy in the THttpCli to obtain 
> this value unless you parse the AuthorizationRequest list.

In my version this is one of the information passed to event used for the
authentication :-)

> Also, both do not require a persistant connection and both require
> just a _single server challenge, that's the similarity I meant.

We recently discussed about that. It should be always so because it is
stateless. It is the NTLM that don't respect the rfc.


> Something like that is required, also because current authentication 
> code in the THttpCli is a complicated nightmare, error-prone and
> contains plenty of duplicated code. 

I know it very well :-)
I already post in the past my propose of changes, but probably it was not the
right moment because I got no feedback.

Bye, Maurizio.

This mail has been sent using Alpikom webmail system

To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to