This project is archived and is in readonly mode.

#3006 ✓resolved
José Valim

Patch to fix broken HTTP Digest Authentication

Reported by José Valim | August 8th, 2009 @ 11:56 AM | in 2.3.4

Current HTTP Digest Authentication does not work with some browser/servers combinations.

For example, Webrick uses the full REQUEST_URI, while a browser like Safari or Firefox only send the relative_uri. In this case, HTTP Digest won't work.

On the other hand, IE sends the full REQUEST_URI, so it may not work with servers like mongrel or thin.

This patch attempts to let it flexible enough to work with a different combination of servers/browsers, without changing any security rule.

I tested in "real life" with Firefox on Linux on both webrick and thin. Would be nice if some tests would be executed with Safari and IE with both servers.

For some guidance, you could follow Ryan Daigle tutorial to setup: http://ryandaigle.com/articles/2009/1/30/what-s-new-in-edge-rails-h...

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Attachments

Referenced by

Pages