On 12/07/2015 11:55 AM, Jacob Champion wrote:
> - moving things to post read sounds tempting, however I'm not sure if
we want to upgrade on non-authed request or not, for example. I am not
sure what else we do in post read, maybe someone else has an opinion
about that. It certainly looks nicer in the OPTIONS * case.
WebSocket upgrades rely on authn headers and cookies; there is no (good)
way after a connection has been established to say "well, I upgraded you
but now I'm closing the connection because you weren't authorized." The
check needs to be done before sending 101 (and otherwise a 401/403/4xx
needs to be sent instead of the upgrade).
D'oh. My WebSocket rambling has nothing to do with anything you said --
I only just realized you were both talking about mod_ssl's hook
implementations, not the general order of the hooks in the new Upgrade
architecture...
Sorry for the noise.
--Jacob