W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Basic Authentication behavior

From: John Franks <john@math.nwu.edu>
Date: Sun, 7 Sep 1997 15:53:47 -0500 (CDT)
To: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Cc: lawrence@agranat.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.96.970907154143.20258A-100000@hopf.math.nwu.edu>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4353
On Sun, 7 Sep 1997, Foteos Macrides wrote:

> 	It is classic libwww behavior to guess a template for a Basic
> realm, and that is current practice for software which has it as a
> heritage. 

Upon reflection and re-reading the spec, yet again, I have no problem
with clients guessing authentication credentials based on some 
heuristic.  What heuristic is used is entirely an implementation
question and is up to the client implementor.  

> If the hiearchy of symbolic elements for the path of the request were
> /sym1/sym2/sym3/foo.blah   and there were no template indicated (and
> it never is, because that header never got into any IETF RFCs :) the
> UA guesses   /sym1/sym2/sym3/*   and depending on subsequent requests
> might eventually infer that   /sym1/sym2/*   is the "correct" template.

I believe that there is common current practice which is different from
this, but I think there is no need to discuss the algorithm the client
uses to pick the template as that is an implementation decision.

A sentence in the spec to the effect that "credential guessing"
is common current practice might be useful.  It might affect how
suspicious one should be of failed authentication attempts.

John Franks 	Dept of Math. Northwestern University
Received on Sunday, 7 September 1997 13:58:18 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC