Client development for HTTP Negotiate

[Nico Williams]

On Wed, Feb 27, 2013 at 11:41 PM, Arpit Srivastava <arpit.orb at gmail.com> wrote:
> I am developing a client that used Kerberos GSS API authentication using
> IETF interface.
>
> Every time, the client application is doing HTTP GET, it requires a new
> output token (which is obtained after doing initSecContext).

You basically have to initialize a new security context for every HTTP
request.  This sucks.  You can avoid this only by creating a
"session".  Traditionally that means "use cookies".  Or you could
implement one of several proposals for "session continuation" based on
session IDs and per-request/response MACs binding requests/responses
to sessions.

Nico
--