W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Proposal for two new authentication schemes...

From: Rich Connamacher <phantom@baymoo.sfsu.edu>
Date: Tue, 7 May 1996 06:25:49 -0700 (PDT)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.BSF.3.91.960507055837.5650A-100000@simon.sfsu.edu>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/443
I know that this is too late in the game to become a part of HTTP 1.1, 
but I would like to suggest the following two additions to the 
authorization scheme, let's call them "clear" and "tagged".

WWW-authenticate: Clear realm=foo

this means that, within the realm foo, the client should stop sending any 
authentication credentials.  Without this, the client will keep bundling 
the username and password with each request, even when it is no longer 
needed, which could pose a threat in lab settings where one computer is 
controlled by several users, and it would take too long to reboot the 
brouser between sessions.  This would allow the server to instruct the 
client on when an authenticated session should end.

Another addition to the authentication scheme I would like to see would 
be for an invisible tagging of a password with each request, to make it 
easier for the server to keep track of individual guest users who don't 
have a username and password.  It would work like the following:

WWW-authenticate: Tagged realm=foo,authentication=bar

then, the client should, within the realm foo, use 'bar' as its 
authorization credentials.

I have been working with HTTP for a little over a year now, develping 
servers to work with almost entirely non-static content, much of which is 
generated on the fly.  This includes webbed confrencing systems, simple 
database searches, mail systems, and a general purpose server.  These are 
two additions to the authorization scheme that I constantly find myself 
coming back to and wishing I had at my disposal.


Received on Tuesday, 7 May 1996 06:41:31 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:17 UTC