HTTP Authentication - WWW-Authenticate header - multiple realms

Question

Does anyone have any experience of supporting multiple realms in HTTP Authentication?

The Microsoft website states:

Each authenticate respon

Answer 1

The HTTP specification allows for multiple WWW-Authenticate challenges to be present in a response, either within the same WWW-Authenticate header or using multiple WWW-Authenticate headers within the same response.

There are problems associated with this, as described in RFC 2617, section 4.6. In theory, the client must choose the strongest authentication mechanism available, however, defining which one is the strongest is not always obvious.

I've never tried with multiple realms (and the same scheme, for example Basic), but I'm not aware of anything disallowing it. The main problem with multiple realms and the same scheme is that the browser is likely to be confused in terms of user-interface, in particular which realm it challenges the user with.