Vyhľadajte odpoveď

Vyhnite sa podvodom s podporou. Nikdy vás nebudeme žiadať, aby ste zavolali alebo poslali SMS na telefónne číslo alebo zdieľali osobné informácie. Nahláste prosím podozrivú aktivitu použitím voľby “Nahlásiť zneužitie”.

Learn More

reuse authorization header to prevent HTTP 401/200 cycle

  • Žiadne odpovede
  • 1 má tento problém
  • 18 zobrazení
more options

Our internal websites site behind apache running kerberos. mod_auth_kerb

When requesting a site that has css and js files the network requests look like this.

request http://localsite/ -- get 401 response. Send request again with Authorization header. Get 200 request http://localsite/some.css -- get 401 response. Send request again with Authorization header. Get 200 request http://localsite/some.js -- get 401 response. Send request again with Authorization header. Get 200

Note, the Authorization header is the same in all 3 requests so it seems pointless to not send it when fetching some.css and some.js.

When internet explorer hits the same site the request cycle is

request http://localsite/ -- get 401 response. Send request again with Authorization header. Get 200 request http://localsite/some.css with Authorization header get 200 response request http://localsite/some.js with Authorization header get 200 response

Instead of 6 requests, IE makes 4. If the page had 10 assets on the page, IE would make 12 HTTP requests and FF would make 22.  :-(

The HTTP specification - https://tools.ietf.org/html/rfc7235#section-4.2 states

"If a request is authenticated and a realm specified, the same credentials are presumed to be valid for all other requests within this realm.."

Is there a way to make Firefox send the Authentication header on every request after the 1st like IE does? Maybe there is a configuration I am missing?

Thanks Tony

Our internal websites site behind apache running kerberos. mod_auth_kerb When requesting a site that has css and js files the network requests look like this. request http://localsite/ -- get 401 response. Send request again with Authorization header. Get 200 request http://localsite/some.css -- get 401 response. Send request again with Authorization header. Get 200 request http://localsite/some.js -- get 401 response. Send request again with Authorization header. Get 200 Note, the Authorization header is the same in all 3 requests so it seems pointless to not send it when fetching some.css and some.js. When internet explorer hits the same site the request cycle is request http://localsite/ -- get 401 response. Send request again with Authorization header. Get 200 request http://localsite/some.css with Authorization header get 200 response request http://localsite/some.js with Authorization header get 200 response Instead of 6 requests, IE makes 4. If the page had 10 assets on the page, IE would make 12 HTTP requests and FF would make 22. :-( The HTTP specification - https://tools.ietf.org/html/rfc7235#section-4.2 states "If a request is authenticated and a realm specified, the same credentials are presumed to be valid for all other requests within this realm.." Is there a way to make Firefox send the Authentication header on every request after the 1st like IE does? Maybe there is a configuration I am missing? Thanks Tony