Multi-round trip extension
Nico Williams
nico at cryptonector.com
Tue Sep 2 12:03:24 EDT 2014
On Tue, Sep 2, 2014 at 7:39 AM, Simo Sorce <simo at redhat.com> wrote:
> Well, it depends, my mod_auth_gssapi supports keeping auth tied to a
> connection, and both Internet Explorer and Firefox oblige and keep the
> whole exchange on the same connection. In fact NTLMSSP authentication (2
> full roundtrips) works in this mode.
Sure. But what about proxies? What about many other HTTP clients and
servers? (libcurl? nginx? node this or that, various Java classes,
...).
> It is not too hard to set a cookie and keep state (export partially
> established context and store it in some local cache) in the server
> either, though sending the state to the client might make it work across
> balancing servers that do not keep a client connected to the same server
> between any 2 exchanges, not sure it is worth dealing with those cases
> though. I haven't yet fully investigated the case of proxies.
Cookies are not required to implement by clients. To maximize interop
a server would have to be prepared to use both, cookies and
per-connection state.
> In MIT code exporting partially established context works in recent
> versions.
Which is good. I mentioned the non-standard aspect of this because
that's come up a lot before.
Nico
--
More information about the krbdev
mailing list