id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
485	Multiple WWW-Authenticate headers	Fasih		"RFC allows a server to respond with multiple WWW-Authenticate header (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47). 

""User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters.""

However nginx defines WWW-Authenticate header as an ngx_table_elt_t in the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other allowed repeated value headers.

I am using nginx as a reverse proxy. The upstream sends two WWW-Authenticate headers with different realms. I was processing the www_authenticate header field and hadnt realized that it was legal to send multiple WWW-Authenticate headers.

One e.g. for a valid real-world use:

http://stackoverflow.com/a/15894841/1597813"	enhancement	closed	minor		nginx-core	1.5.x	fixed	response header handling		Linux fasih-thinks 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.5.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) 
configure arguments: --prefix=/home/faskiri/usr --with-debug
"