[vlc-devel] vlc, RTSP and digest authentication

[Rémi Denis-Courmont]

On Thu, 13 Nov 2008 23:10:36 +0000 (UTC), Ratin <ratin3 at gmail.com> wrote:
> My question is how do you identify the client when it closes the
> socket in the middle of a authentication session, by looking at
> its ip address? that wont be a valid check because one host can
> have multiple clients. 

Looking at the socket is not any more valid, since you can have multiple
clients using the same TCP connection via an RTSP proxy.

> The digest authentication works per protection space (also called
> authentication session) basis. If the socket is destroyed in the
> middle of authentication and a new socket is created by the client,
> the server will have to identify the client because it has to match
> the current response based on previously sent nonce.

That would be true for stateful applications protocols such as IMAP, POP or
FTP, whereby the authentication is tied to the transport connection. That
does simply not work for HTTP or RTSP. With these last two, servers MUST
NOT associate any application-layer state to transport connections. Clients
are _allowed_ to send "related" requests on different transport
connections, and send "unrelated" requests on the same connection.

> This brings up the state issue and RFC 2617 clearly talks
> about such state.

Your state CANNOT be tied to the transport connection -handle (i.e. the
socket).
You could question the real world existence of RTSP proxies. But you cannot
question that they are HTTP proxies. How would you cope with multiple
clients behind the same proxy if your state were tied to the socket?

There is a big difference between "no state at all", and "state not tied to
transport connection".

-- 
Rémi Denis-Courmont