Caching of a HTTP/1.1 401 Unauthorized response?

DAVx⁵
Log in to reply
  • K

    It does seem, that davdroid could benefit from caching the server responses where it is asked to authorize, e.g.

    37.201.X - - [30/May/2016:00:33:08 +0000] "PUT /sabretest/cal.php/calendars/admin/testing/b8f655dc-48cb-4f87-ab4a-e38ed5ddbeac.ics HTTP/1.1" 401 432 "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1"
37.201.X - - [30/May/2016:00:33:09 +0000] "PUT /sabretest/cal.php/calendars/admin/testing/b8f655dc-48cb-4f87-ab4a-e38ed5ddbeac.ics HTTP/1.1" 201 - "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1"

37.201.X - - [30/May/2016:00:33:09 +0000] "REPORT /sabretest/cal.php/calendars/admin/testing/ HTTP/1.1" 401 473 "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1"
37.201.X - - [30/May/2016:00:33:09 +0000] "REPORT /sabretest/cal.php/calendars/admin/testing/ HTTP/1.1" 207 1086 "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1"`

    Every Time davdroid is told to authenticate, (WWW-Authenticate: Digest realm="...") and does so in the subsequent request, but “forgets it” immediately after. Wouldn’t it be wise to authenticate in the next X sessions from the beginning as well ? Could save some round-trips…

    rfc2822 1 Reply 0
  • rfc2822
    developer

    @kralo This only happens when you’re using Digest auth.

    1. Please use Basic auth (the only useful case I can imagine for Digest auth is to authenticate against external services; in terms of security, there should be no advantage because TLS should be used in any case) and set DAVdroid to pre-emptive auth (= always send the authentication header with the request), or
    2. improve the BasicDigestAuthenticator, which I had to write from scratch (I guess it would not be much work, you would have to check the realm and perhaps domain, insert the tokens and handle re-authentication) because okhttp doesn’t provide (Digest) auth by default (and they didn’t want my implementation; you can also read about extra round-trips there).
    0
  • rfc2822
    developer

    Since dav4android ff40bfd, credentials are cached for Digest authentication, too.

    0

Similar topics