W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

411 response code: clarification, please

From: Dave Kristol <dmk@allegra.att.com>
Date: Wed, 16 Aug 95 17:41:50 EDT
Message-Id: <199508162145.AA101309520@hplb.hpl.hp.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
401 and 411 are the response codes for failed authentication.  I'm
uncertain when an origin server should respond with 411, rather than
401.  Here's what I think I understand.  Assume, in each case, that the
origin server requires authentication for the request.

1) Client sends no Authorization request header.  Server always
responds with 401.

2) Client sends Authorization request header.  Server doesn't like the
information therein.

    2a) Basic scheme.  At present, servers send 401 if the name:passwd
    is unacceptable.  Should they send 411 for HTTP/1.1?  Apparently
    not:  the challenge is likely to be the same as the previous one,
    so sending the same response is futile.

    2b) Digest scheme.
    2b1) The "stale" attribute says whether the problem is with the
    nonce value, so the client can tell whether the server thinks
    that's what the problem is.  Should the server send 401 or 411 on a
    stale nonce?  (I'm guessing 411, although it doesn't appear to
    matter.)

    2b2) If the nonce is fresh, but the server rejects the authorization
    information for other reasons, I'm guessing the server should
    return a 401. A 411 would imply that the client could recalculate
    the Authorization header from the challenge (realm and nonce), but
    they may well be the same the second time, and the server would
    reject it again.

So, in all cases but 2b1, the correct answer appears to be 401.  For
case 2b1, 401 should work as well as 411, because the "stale" attribute
provides the equivalent information to 411.  So, what is 411 for??

Dave Kristol
Received on Wednesday, 16 August 1995 14:46:45 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:25 EDT