为什么Firefox继续谈判kerberos服务票? [英] Why Firefox keeps negotiating kerberos service tickets?
问题描述
一旦发出第一个请求,TGS会缓存在客户端的/ tmp / krb5ccXXXX中,但是网络捕获显示Firefox为每一个连接请求一个TGS。当我的服务票据被缓存的时候,为什么不重复使用其他请求呢?每个连接如下:
client = GET index.html => server
client <= 401 Auth required = server
client = TGS-REQ => KDC
...
client <= TGS-REP = KDC
client = GET index.html + kerberos payload => server
client <= 200 OK = server
$ b 这不是配置问题,因为Konqueror按预期执行。
有什么想法?
在此先感谢。
PS:这对于GET请求来说并不是什么大问题,但是考虑到基于表单的上传(POST)数据不应该被发送两次到服务器!!
我不认为有问题。 / tmp /中的文件表示kerberos票据被缓存。 Apache会在每个请求中查询auth,不会应用任何缓存。 Konqueror只是聪明地做自己的缓存,并自动与正确的票据响应。
I ran some tests on Kerberos and found out some strange behavior related to Firefox and Kerberos. I have a server running Apache + mod_auh_kerb which is configured to check kerberos credential when serving requests from clients. Kerberos authentication is performed and user without valid credentials are rejected. However, I do not understand the following:
Once the first request is made, a TGS is cached on the client in /tmp/krb5ccXXXX, but a network capture revealed that firefox request a TGS for every single connections. As my service ticket is cached then why isn't it re-used for other requests ? Every connections are as follows:
client = GET index.html => server
client <= 401 Auth required = server
client = TGS-REQ => KDC
...
client <= TGS-REP = KDC
client = GET index.html + kerberos payload => server
client <= 200 OK = server
This is not a configuration issue as Konqueror perform as expected.
Any ideas ?
Thanks in advance.
PS: This is not such a big issue for GET requests but consider form-based uploads (POST) data should not be sent twice to the server !!
I don't think there is a problem. The files in /tmp/ mean the kerberos ticket is cached. Apache queries for auth with every request and does not apply any caching. Konqueror just is smart enough to do its own caching and responds automatically with the correct ticket.
这篇关于为什么Firefox继续谈判kerberos服务票?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
