- From: Henrik Frystyk Nielsen <frystyk@ptsun00.cern.ch>
- Date: Mon, 5 Dec 94 22:36:08 +0100
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, zurko@osf.org
The 401 code is not tied to the basic AA scheme. The WWW-Authenticate and WWW-Authorization headers both are defined to contain extension tokens. HOwever, if you are sure that the server is not going to send the object to the client and the client shouldn't try again then the right code to use is `403 Forbidden'. If using the basic AA the server should repeat sending back a 401 code following the current spec. Though the server can switch to a 403 code if multiple attempts have been tried, but this requires that the server keeps state of the connections whic his outside the scope of the spec. -- cheers -- Henrik
Received on Monday, 5 December 1994 13:36:42 UTC