0

I have a rare bug where some clients (MS Office) suddenly try to do NTLM negotiation. This looks like a regular request, except that the body of a LOCK or PUT request is empty, and a header is added Authorization: Negotiate ....

My WebDAV server (based on WSGIDav) implements authentication using secret URL as well as cookies for subsequent requests. Therefore, I want to reject these negotiation requests, but without tripping up the client.

What is the correct response to these requests? Every documentation I've found is how to do negotiation under the assumption that I actually want to negotiate, but in my case, this is incorrect. The client is already authenticated via the secret URL and/or a cookie, thus no Authorization header is desired at all.

Improve this question
3
  • The most correct is probably responding with a 401 or even a 400, but to make Windows WebDAV work reasonably well you probably just want to ignore the header. Why not try both and see what happens? Commented May 14 at 16:56
  • Unfortunately, the issue happens rather rarely, even in a large-ish deployment. so an experimental approach is not doable. We do return a HTTP/400 right now, but for the wrong reasons (LOCK with empty body is not accepted, and neither is an empty PUT) Commented May 16 at 12:13
  • Then if you're worried about some requests in your logs, your first goal should probably be to reliably reproduce it. Commented May 16 at 14:18
Related questions
6462
What is the difference between POST and PUT in HTTP?
3237
HTTP GET with request body
1752
How are parameters sent in an HTTP POST request?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.