[CalendarServer-dev] digest auth
cdaboo at apple.com
Mon Sep 24 18:23:56 PDT 2007
--On September 24, 2007 7:44:06 PM -0500 Bruno Browning
<browning at uwalumni.com> wrote:
> When I authenticate to a CalendarServer instance configured to use digest
> authentication (concerning which I am a compleat newb) using Sunbird or
> Lightning, wait fifteen minutes, and attempt to, say, refresh, I get
> another authentication prompt. This doesn't seem to be Sb/Ltn-specific:
> the same timeout-and-reprompt happens when accessing the calendar URI
> with a browser, including Opera on Linux and IE on Vista (though not
> with IE 5.2 on Mac OS) - so it doesn't seem to be specific to the Mozilla
> network stack, either. Wireshark shows that after the 15-minute timeout
> CalendarServer responds to a query with a 401 challenge and new nonce
> value in the WWW-Authenticate header - but that header does not also
> include a 'stale="true"' as I would expect from my (possibly naive)
> reading of RFC 2617. So I'm suspecting that this is a CalendarServer bug
> rather than a Mozilla one, and I'm hoping that someone more familiar with
> digest authentication than I am can comment.
Yup - looks like we missed that. Apparently some browsers/clients ignore
stale and attempt a re-auth without prompting so we didn't notice that.
I'll get a ticket written on that.
More information about the calendarserver-dev