HTTP No Authorization field in the digest authentication requests

Question

I have a http server with digest authentication on my SOC. On attempt to authenticate the server correctly sends response with 401 code and WWW-Authenticate header with a nonce and Digest schema. However on some hosts browsers do not include Authorization field back with nonce and etc. in consequent requests which they supposed to include.

Here is the Edge login attempt:

Response with WWW-Authenticate - https://i.stack.imgur.com/mdFqm.png. In the screen above correct WWW-Authenticate field returned by server.

Request without Authorization - https://i.stack.imgur.com/sbzyn.png. I expect Authorization field in the next request but there is none!

The Chrome attempt is similar except it instantly shows 401 page without login prompt because there is no Authorization field in header.

Chrome and Edge both are latest 64bit versions on Windows 10.

What possible issues could cause this behavior?

Answer 1

Apparently the problem was multi-line WWW-Authenticate header. You can see the "/r/n" separators between header field values in the screenshots(0x0d 0x0a bytes).

Such multi-line was allowed in the original RFC 2616 and then deprecated by the newer RFC 7230. See https://stackoverflow.com/a/31324422/8876135 for details and links.

After fixing the header field by making it single line the problem was gone. Still i have no idea why the exact same browsers had this issue with the header at some hosts but was completely fine at my work/home PC's.