[Owncloud] propfind - why always two requests?

Tim Hinkes timmeey at timmeey.de
Thu Jan 31 14:36:12 UTC 2013


Am 31.01.2013 12:52, schrieb Daniel Molkentin:
>
> On 31.01.2013, at 12:43, hemathor wrote:
>
>> hey,
>>
>> i have ssl activated.
>> looking at the httpd logfile, there are always two propfind requests:
>>
>> 127.0.0.1 - - [31/Jan/2013:12:39:34 +0100] "PROPFIND
/owncloud/remote.php/webdav/clientsync HTTP/1.1" 401 291
>> 127.0.0.1 - hemathor [31/Jan/2013:12:39:34 +0100] "PROPFIND
/owncloud/remote.php/webdav/clientsync HTTP/1.1" 207 630
>>
>> why does the client issue an unencrypted request although ssl is
activated?
>
> Where do you see an unencrypted request here? I just see one
unauthenticated and one authenticated here. The log tells nothing about
the encryption status.
>
> SSL is transport layer security, i.e. in encrypts the data stream,
regardless on higher level protocols' authentication scheme. It doesn't
know nor care. HTTP auth is then applied on top (i.e. inside the
encrypted data stream), and the way it works is to issue a request, and
wait for the server to ask for authentication (which it does, 401). The
client will then follow up with an attempt to present its credentials,
which succeeds (207, webdav multi status).
>
> Cheers,
> Daniel
>
> --
> www.owncloud.com <http://www.owncloud.com> - Your Data, Your Cloud,
Your Way!
>
> ownCloud GmbH, GF: Markus Rex, Holger Dyroff
> Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
>
>
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

Okay, not talking about the ssl/nonssl. BUT... Why are there two
requests? I know how normally http auth is used with the server asking
for auth with 401. But this doubles the needed requests.

Why not sending the auth on every request after the server asks the
first time for the credentials. I don't know how this could trigger
security problems as long as the ssl cert getting validated. Because it
is just a https://user:pass@owncloud.server.foo and would save lots of
requests.

This "useless" 401 requests are causing really heavy overhead when
syncing folders with many (small) subfolders/files.

I know this is bad style http, but we know where auth is needed. So i
think it is worth the bad style, if we could save these expected 401
requests.


TimmeeY

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130131/e3ec1f7f/attachment.html>


More information about the Owncloud mailing list