W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

RE: REAUTHENTICATION REQUIRED

From: Paul Leach <paulle@microsoft.com>
Date: Mon, 24 Nov 1997 10:44:33 -0800
Message-Id: <5CEA8663F24DD111A96100805FFE6587203791@red-msg-51.dns.microsoft.com>
To: "'David W. Morris'" <dwm@xpasc.com>
Cc: 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, 'Jim Gettys' <jg@w3.org>, 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Two comments:

Certain popular web servers have a builtin "session" mechanism, so that what
the server needs to do has already been implemented.

The guys who want this want to trust the browser as little as possible. A
browser that doesn't understand the timeout directive would ignore it. A
browser that doesn't understand "4xx reauth required" will consider it a
fatal error. They like that default.


> ----------
> From: 	David W. Morris[SMTP:dwm@xpasc.com]
> Sent: 	Monday, November 24, 1997 10:34 AM
> To: 	Paul Leach
> Cc: 	'http-wg'; 'Jim Gettys'; 'http-wg'
> Subject: 	RE: REAUTHENTICATION REQUIRED
> 
> 
> 
> On Mon, 24 Nov 1997, Paul Leach wrote:
> 
> > How about cookies? I've heard they are useful for tracking state... :-)
> > 
> > As I understand it:  cookie has a magic number in it. Magic number is
> index
> > into a table at the server. Table has timeout information.
> 
> Cookies are one way to maintain state, munged URLs are another. Both
> are more complex than needed if the client is simply given a timeout.
> 
> Servers which want more precision or actually require a stateful
> interaction will of course maintain their own timeouts. But for basic
> access to a secured set of WEB resources, having the client provide
> the timing keeps everything simpler.
> 
> 
Received on Monday, 24 November 1997 10:49:24 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT