Reauthentication Requested Revisited

From: Josh Cohen (joshco@microsoft.com)
Date: Fri, Jan 23 1998


Message-ID: <21FD6499922DD111A4F600805FCCD6F2013D08CC@red-86-msg.dns.microsoft.com>
From: Josh Cohen <joshco@microsoft.com>
To: "'ietf-http-ext@w3.org'" <ietf-http-ext@w3.org>
Date: Fri, 23 Jan 1998 00:52:04 -0800
Subject: Reauthentication Requested Revisited

Reauthenticarion required revisited.

I'm not sure if this should really go to http-wg or http-ext,
so I ll post it here, and if it comes to a consensus, we can think about
bringing it to the wg for 1.1...

The big problem I saw with the reauth required is that while
the server can advise the client to ask the user for credentials
again, there is no way for the server to be sure that the client
really behaved and didnt just say "yeah, whatever" and send cached
creds.  I propose a more generalized method of affecting this problem.

In english, what Id like to see go on is this:

Client is surfing along, and comes to URL A.
URLA is a script which performs an action.
 for this example, that action is "grab a coke from the fridge"

1. Client requests a coke
2. server replies: go ask your mother first.
3. client asks mom "can I have a coke"
4. client repeats the request and along with the 
  request says: "I did what you asked, mom says OK"
5. server hands out a coke.

What Im looking at is not to verify that mom was actually asked,
 but the client claims that it took action.
 
In http terms:
(As usual, excuse my bnf )

Introduce a new response header action-request:

 action-request ":" ActionID "," "type" "=" value 
  ActionID = OpaqueString
  value = "AUTH" | "EXEC" | "ECHO"

AUTH means reaquire the credentials for the realm used
 on this request
EXEC means "execute" the content body, which presumably
 is a script, ie javascript
ECHO perform no action, just echo the ActionID in the
 next request to this URI

When this header is received with the 4xx code above,
 the client should immediately perform the action indicated
 and try the request again. (exact same request except for
 inclusion of the action-reply header)

When received with a 200, and ECHO as the action, simply
send the actionID with action-reply for the next request
to the same URI only.

Introduce a new request header action-reply:

 action-reply ":" ActionID

When re-sending a request due to 4xx preAction required,
 include the ActionID to indicate acknowledgement.

Introduce response code 4xx preAction required

 this response code must have an action-request header.

---
Essentially this is a server to client request acknowledgement
system.  

The case in point for us is for a POST with a CGI where
the CGI wants the browser to go do something, like reauth
then repeat the same request.
This is needed because without it, the best we could hope
for was a redirect to itself (which the browsers today
are smart enough to not do), or use a meta refresh
(which would cause repost data? to pop up).

I beleive that in this case reposting the data is ok
without user intervention because the POST action is
declared to not complete, and the server is instructing
the client to "retry" the request.  When using this
the CGI must not carry out the POST when returning
the 4xx code.

---

Your comments?