Feature #2906
closedLighttpd responds with 400 not 401
Description
Hi
We have replaced an older embedded web server with lighttpd, however the following case breaks compatibility with a third party system.
lighttpd responds with 400: Bad Request if the request requires Digest Auth but the client supplies Basic Auth. Then client does gives-up and does not try Digest Authentication!
The client seems to rely on 401: Unauthorized otherwise, it does not retry with alternative Auth.
Would you consider modifying this behavior, perhaps with the supplied patch?
Files
Updated by gstrauss over 6 years ago
- Tracker changed from Bug to Feature
- Status changed from New to Invalid
The title of this issue is poor, and your feature request is a feature request, and not a bug.
Changing this behavior in lighttpd may lead to infinite loops if a bad client keeps retrying with a bad request.
Your patch is for your (differently) bad client, which is sending the wrong auth and then not handling sending a request without any (incorrectly guessed) auth in order to receive a 401 Unauthorized response. lighttpd will send 401 Unauthorized when client does not provide auth and auth has been configured as being required.
Updated by gstrauss over 6 years ago
- Status changed from Invalid to Patch Pending
- Target version changed from 1.4.x to 1.4.51
While clients should not be requesting an incorrect auth scheme, sending a 401 Unauthorized should tell the client the auth is not sufficient. According to RFC 7235, a client should not keep sending the same Authorization header in the face of 401 Unauthorized.
Updated by gstrauss about 6 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 6b887f35e34e3d18a70f4d45bc2500b811481141.
Also available in: Atom