Multi-round trip extension

Nico Williams nico at
Tue Sep 2 12:03:24 EDT 2014

On Tue, Sep 2, 2014 at 7:39 AM, Simo Sorce <simo at> wrote:
> Well, it depends, my mod_auth_gssapi supports keeping auth tied to a
> connection, and both Internet Explorer and Firefox oblige and keep the
> whole exchange on the same connection. In fact NTLMSSP authentication (2
> full roundtrips) works in this mode.

Sure.  But what about proxies?  What about many other HTTP clients and
servers?  (libcurl? nginx? node this or that, various Java classes,

> It is not too hard to set a cookie and keep state (export partially
> established context and store it in some local cache) in the server
> either, though sending the state to the client might make it work across
> balancing servers that do not keep a client connected to the same server
> between any 2 exchanges, not sure it is worth dealing with those cases
> though. I haven't yet fully investigated the case of proxies.

Cookies are not required to implement by clients.  To maximize interop
a server would have to be prepared to use both, cookies and
per-connection state.

> In MIT code exporting partially established context works in recent
> versions.

Which is good.  I mentioned the non-standard aspect of this because
that's come up a lot before.


More information about the krbdev mailing list