[
https://issues.apache.org/jira/browse/HTTPCLIENT-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oleg Kalnichevski resolved HTTPCLIENT-1534.
-------------------------------------------
Resolution: Duplicate
> HTTP Digest Authentication does not use cookies sent on challenge
> -----------------------------------------------------------------
>
> Key: HTTPCLIENT-1534
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1534
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient, HttpCookie
> Affects Versions: 4.3.3
> Reporter: Raúl Kripalani
>
> HTTP Client does not process cookies received from the server on the HTTP 401
> challenge that initiates a Digest Auth procedure.
> The server could be sending a cookie related to load balancing, which is
> crucial to ensure that the 2nd HTTP request with the challenge response
> (Authorization) reaches the same application/origin server that created it.
> Otherwise, the authentication may fail easily.
> Imagine a scenario with a load balancer in front of 4 application servers
> with shared-nothing, i.e. no common state.
> *Request #1 - Challenge request:*
> Client sends a normal HTTP request. Load balancer routes it to node 1 and the
> client receives an HTTP 401 with Set-Cookie: LBCOOKIE=123456.node1.
> *Request #2 - Final request:*
> The client then computes the Authorization header and sends the request again.
> However, because it does not include the Cookie, the load balancer routes it
> to node 3, which doesn't recognise the Authorization challenge and rejects it
> again with an HTTP 401.
> *Result:* The client never passes authentication.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
