Re: Reauthentication Requested Revisited

From: Scott Lawrence (lawrence@agranat.com)
Date: Fri, Jan 23 1998


Message-Id: <199801232146.QAA00356@devnix.agranat.com>
To: Josh Cohen <joshco@microsoft.com>
Cc: ietf-http-ext@w3.org
Date: Fri, 23 Jan 1998 16:46:21 -0500
From: "Scott Lawrence" <lawrence@agranat.com>
Subject: Re: Reauthentication Requested Revisited


>>>>> "JC" == Josh Cohen <joshco@microsoft.com> writes:

JC> Reauthenticarion required revisited.

  This discussion got all mixed up.  The original requirement is that
  the server wants the client to discard the current credentials (that
  is, those used in the request to which this is a response).

  There are (at least) three reasons why the server might want to do
  this:

   1) The server wishes to force the user to reenter credentials (it
      has been too long, or too many requests since those credentials
      were originally obtained - make sure the same human being is
      still there).  This would normally accompany a 401 response.

   2) The user has indicated (by pushing a 'logout' button or
      following an off-site link of some kind) that the authenticated
      part of the session is over; the server wants the user agent to
      get the credentials out of cache so that new ones will be
      obtained next time (eg.  student is doing registration for
      next semester from a public browser - pushes the 'commit
      schedule' button).  Most often will accompany a 2xx response.
      This is the one that people on the CGI newsgroups ask for
      several times a week.

   3) Those credentials are known by the server to be no longer valid
      (the password just got changed).  This might be either a positive
      or negative response.

  This also serves to illustrate that the feature should not be a
  status code.

JC> Introduce a new response header action-request:

JC>  action-request ":" ActionID "," "type" "=" value
JC>   ActionID = OpaqueString
JC>   value = "AUTH" | "EXEC" | "ECHO"

JC> AUTH means reaquire the credentials for the realm used
JC>  on this request

  Not general enough; does not cover cases 2 or 3 above.

JC> EXEC means "execute" the content body, which presumably
JC>  is a script, ie javascript

  And if I (the user) don't allow execution of arbitrary code shipped
  to my browser by strangers (no, I don't have Java enabled)?

JC> ECHO perform no action, just echo the ActionID in the
JC>  next request to this URI

  Yet another form of cookie?

JC> Essentially this is a server to client request acknowledgement
JC> system.

  And why is that any more assurance that it actually did anything
  than you had before? (the kid can still _claim_ to have asked Mom)

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/