Great 🙂 I don’t know what all the manufacturers do. Seems everything except good testing 😇
Caching of a HTTP/1.1 401 Unauthorized response?
-
It does seem, that davdroid could benefit from caching the server responses where it is asked to authorize, e.g.
37.201.X - - [30/May/2016:00:33:08 +0000] "PUT /sabretest/cal.php/calendars/admin/testing/b8f655dc-48cb-4f87-ab4a-e38ed5ddbeac.ics HTTP/1.1" 401 432 "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1" 37.201.X - - [30/May/2016:00:33:09 +0000] "PUT /sabretest/cal.php/calendars/admin/testing/b8f655dc-48cb-4f87-ab4a-e38ed5ddbeac.ics HTTP/1.1" 201 - "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1" 37.201.X - - [30/May/2016:00:33:09 +0000] "REPORT /sabretest/cal.php/calendars/admin/testing/ HTTP/1.1" 401 473 "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1" 37.201.X - - [30/May/2016:00:33:09 +0000] "REPORT /sabretest/cal.php/calendars/admin/testing/ HTTP/1.1" 207 1086 "-" "DAVdroid/1.0.9.1 (2016/05/27; dav4android; okhttp3) Android/5.1.1"`
Every Time davdroid is told to authenticate, (
WWW-Authenticate: Digest realm="..."
) and does so in the subsequent request, but “forgets it” immediately after. Wouldn’t it be wise to authenticate in the next X sessions from the beginning as well ? Could save some round-trips… -
@kralo This only happens when you’re using Digest auth.
- Please use Basic auth (the only useful case I can imagine for Digest auth is to authenticate against external services; in terms of security, there should be no advantage because TLS should be used in any case) and set DAVdroid to pre-emptive auth (= always send the authentication header with the request), or
- improve the
BasicDigestAuthenticator
, which I had to write from scratch (I guess it would not be much work, you would have to check the realm and perhaps domain, insert the tokens and handle re-authentication) because okhttp doesn’t provide (Digest) auth by default (and they didn’t want my implementation; you can also read about extra round-trips there).
-
Since dav4android ff40bfd, credentials are cached for Digest authentication, too.