Multiple WWW-Authenticate headers
|Reported by:||Fasih||Owned by:|
|Keywords:||response header handling||Cc:|
|uname -a:||Linux fasih-thinks 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux|
nginx version: nginx/1.5.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
configure arguments: --prefix=/home/faskiri/usr --with-debug
RFC allows a server to respond with multiple WWW-Authenticate header (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47).
"User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."
However nginx defines WWW-Authenticate header as an ngx_table_elt_t in the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other allowed repeated value headers.
I am using nginx as a reverse proxy. The upstream sends two WWW-Authenticate headers with different realms. I was processing the www_authenticate header field and hadnt realized that it was legal to send multiple WWW-Authenticate headers.
One e.g. for a valid real-world use: