Re: 411 response code: clarification, please from Roy Fielding on 1995-08-17 (ietf-http-wg@w3.org from July to September 1995)

From: Roy Fielding <fielding@beach.w3.org>
Date: Thu, 17 Aug 1995 13:50:45 -0400
To: Dave Kristol <dmk@allegra.att.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199508171750.NAA07536@beach.w3.org>

>401 and 411 are the response codes for failed authentication.  I'm
>uncertain when an origin server should respond with 411, rather than
>401.  Here's what I think I understand.  Assume, in each case, that the
>origin server requires authentication for the request.
>
>1) Client sends no Authorization request header.  Server always
>responds with 401.

Yep.

>2) Client sends Authorization request header.  Server doesn't like the
>information therein.
>
>    2a) Basic scheme.  At present, servers send 401 if the name:passwd
>    is unacceptable.

Are you sure?  I thought they sent 403 in this case.

>    Should they send 411 for HTTP/1.1?

Yes, but only if they want to include information about how the
user can correct the situation.

>    Apparently
>    not:  the challenge is likely to be the same as the previous one,
>    so sending the same response is futile.

"likely to be the same" is not a strong statement.

>    2b) Digest scheme.
>    2b1) The "stale" attribute says whether the problem is with the
>    nonce value, so the client can tell whether the server thinks
>    that's what the problem is.  Should the server send 401 or 411 on a
>    stale nonce?  (I'm guessing 411, although it doesn't appear to
>    matter.)

411 (I was assuming that 401 is only sent when the request had no
     Authorization field at all).

>    2b2) If the nonce is fresh, but the server rejects the authorization
>    information for other reasons, I'm guessing the server should
>    return a 401. A 411 would imply that the client could recalculate
>    the Authorization header from the challenge (realm and nonce), but
>    they may well be the same the second time, and the server would
>    reject it again.

411 if the server wants to give them another chance, 403 otherwise.
The description of 411 states that:

   The response must include a WWW-Authenticate header field 
   (Section 8.30) containing a challenge applicable to the requested 
   resource. If the challenge is different from that assumed by the 
   last request, the client may repeat the request with a suitable 
   Authorization header field after obtaining the user's approval.

Should that be "If and only if"?

On the other hand, we could just use 401 for both, but I was told
earlier (on the list) that the 411 semantics were needed.


 ....Roy T. Fielding  Department of ICS, University of California, Irvine USA
                      Visiting Scholar, MIT/LCS + World-Wide Web Consortium
                      (fielding@w3.org)                (fielding@ics.uci.edu)

Received on Thursday, 17 August 1995 10:52:12 UTC