As previously mentioned, I'm working with the authentication system and multiple auth domains. I've ended up actually pulling some of the handling code directly out of mongoose.c into my own application so that I can generate my own 401 error pages, as the default ones contain no response body. So basically my MG_AUTH always returns YES, but it sets up a structure in connection_param that indicates if authentication might actually be needed, and then MG_REQUEST looks at that and either authorizes and responds or sends a 401 instead.
In any case, I can't replicate the mongoose logic exactly because mg_send_digest_auth_request() calls close_local_endpoint() before it returns to close the connection. I've researched a bit and I haven't found any mention anywhere that a server should automatically close a connection that would otherwise be kept alive if an authentication fails, so I assume I'm about to look like an idiot for asking. I HAVE seen mentioned that once a client connection is authorized, all requests made on the same connection are automatically authorized using the same user. I don't know if that was an IIS specific thing or not, as I can't see any mention of it in the RFC. However, I can see why a server would want to close the connection explicitly if authorization was not present or otherwise invalid in that situation. Is something like that (or security related in general) why the connection is being closed there? I don't want to violate any constraints by leaving the connection open in this case. -- You received this message because you are subscribed to the Google Groups "mongoose-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/mongoose-users. For more options, visit https://groups.google.com/d/optout.
