I'm working on an implementation of kerberos/spnego (for windows - server side)
and in reading the spnego rfc draft, I can't determine if this requires the
browser to keep the connection open once the client sends the authorization
header. There are some notes on usage with a proxy server which makes me think
the connection needs to remain open, but in theory don't see why it would. I
believe for NTLM the second and third phase of auth required the connection to
remain open but am not sure if the same applies to spnego.
Thanks,
Adam Tuliper
www.secure-coding.com
-------------------------------------------------
Sent using http://www.DWmail.net, a free service
Check your email [any email, anytime, anywhere]
-------------------------------------------------
Disclaimer: DWmail.net is not responsible for the content sent via it's
services. Additional header information is included regarding the source of an
email. If you believe an email is junk you should look for the 'Originating
IP' message header
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
