https://issues.apache.org/bugzilla/show_bug.cgi?id=54076
--- Comment #5 from Michael Osipov <1983-01...@gmx.net> --- (In reply to comment #4) > There is one work-around already available. Set alwaysUseSession on the > Authenticator Valve. This isn't even a workaround for me. You cannot guarantee that the client will respond with the JSESSIONID cookie. You could end up with generating a huge amount of empty sessions. > I have added support for a second work-around to trunk and 7.0.x. This > work-around enables HTTP keep-alive to be disabled for specified user-agents > if they attempt to use SPNEGO. This will be included in 7.0.33 onwards. Well, the server admin needs to know the client's UA preemptively. Is this really feasable? The client cannot know that the server is incapable of performing stateful auth. I'd rather always write "Connection: close" for general safety. > I'm not a huge fan of adding the ability to cache information per connection > as that goes against the stateless nature of HTTP. That said, I'd be > prepared to look at a patch that did this and, depending on how invasive it > was, would consider such a patch for 8.0.x. We have discussed this already on the mailing list. Yes, HTTP is stateless but some auth mechs are stateful. This means that HTTP has to be stateful somehow. Since this is done on the connection-level, you already have the statefulness w/o tampering of the HTTP model. Consider that SSL is stateful too and simply wraps HTTP messages. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
