问题
I ran some tests on Kerberos and found out some strange behavior related to Firefox and Kerberos. I have a server running Apache + mod_auh_kerb which is configured to check kerberos credential when serving requests from clients. Kerberos authentication is performed and user without valid credentials are rejected. However, I do not understand the following:
Once the first request is made, a TGS is cached on the client in /tmp/krb5ccXXXX, but a network capture revealed that firefox request a TGS for every single connections. As my service ticket is cached then why isn't it re-used for other requests ? Every connections are as follows:
client = GET index.html => server
client <= 401 Auth required = server
client = TGS-REQ => KDC
...
client <= TGS-REP = KDC
client = GET index.html + kerberos payload => server
client <= 200 OK = server
This is not a configuration issue as Konqueror perform as expected.
Any ideas ?
Thanks in advance.
PS: This is not such a big issue for GET requests but consider form-based uploads (POST) data should not be sent twice to the server !!
回答1:
I don't think there is a problem. The files in /tmp/ mean the kerberos ticket is cached. Apache queries for auth with every request and does not apply any caching. Konqueror just is smart enough to do its own caching and responds automatically with the correct ticket.
来源:https://stackoverflow.com/questions/2098077/why-firefox-keeps-negotiating-kerberos-service-tickets