http/spnego connections

["Adam Tuliper" <amt () gecko-software com>]

I'm working on an implementation of kerberos/spnego (for windows - server side) and in reading the spnego rfc draft, I 
can't determine if this requires the browser to keep the connection open once the client sends the authorization 
header. There are some notes on usage with a proxy server which makes me think the connection needs to remain open, but 
in theory don't see why it would. I believe for NTLM the second and third phase of auth required the connection to 
remain open but am not sure if the same applies to spnego.

Thanks,

Adam Tuliper
www.secure-coding.com

-------------------------------------------------
 Sent using http://www.DWmail.net, a free service
 Check your email [any email, anytime, anywhere]
-------------------------------------------------
Disclaimer: DWmail.net is not responsible for the content sent via it's services.  Additional header information is 
included regarding the source of an email.  If you believe an email is junk you should look for the 'Originating IP' 
message header

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------