Feature #2906

Lighttpd responds with 400 not 401

Added by gcleary over 1 year ago. Updated over 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:



We have replaced an older embedded web server with lighttpd, however the following case breaks compatibility with a third party system.

lighttpd responds with 400: Bad Request if the request requires Digest Auth but the client supplies Basic Auth. Then client does gives-up and does not try Digest Authentication!

The client seems to rely on 401: Unauthorized otherwise, it does not retry with alternative Auth.

Would you consider modifying this behavior, perhaps with the supplied patch?


0002-401-Unauthorized.patch (773 Bytes) 0002-401-Unauthorized.patch gcleary, 2018-09-05 14:12

Updated by gstrauss over 1 year ago

  • Tracker changed from Bug to Feature
  • Status changed from New to Invalid

The title of this issue is poor, and your feature request is a feature request, and not a bug.

Changing this behavior in lighttpd may lead to infinite loops if a bad client keeps retrying with a bad request.

Your patch is for your (differently) bad client, which is sending the wrong auth and then not handling sending a request without any (incorrectly guessed) auth in order to receive a 401 Unauthorized response. lighttpd will send 401 Unauthorized when client does not provide auth and auth has been configured as being required.


Updated by gstrauss over 1 year ago

  • Status changed from Invalid to Patch Pending
  • Target version changed from 1.4.x to 1.4.51

While clients should not be requesting an incorrect auth scheme, sending a 401 Unauthorized should tell the client the auth is not sufficient. According to RFC 7235, a client should not keep sending the same Authorization header in the face of 401 Unauthorized.


Updated by gstrauss over 1 year ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom