W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

RE: REAUTHENTICATION REQUIRED

From: Marc Salomon <mes@slip.net>
Date: Tue, 25 Nov 1997 08:05:09 -0800 (PST)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.GSO.3.96.971125080007.29925B-100000@slip-3>


Recycling existing authentication techniques, a server can change the
realm under which a namespace is protected over time while authenticating
against the same credentials.  After the server timed out authorization,
it could challenge a client against a different realm over the same
PATH_INFO namespace (the realm perhaps corresponding to
$domain.$timestamp) and force verifiable reauthentication. 

Only the most reckless clients would try to guess that a set of distinct
realms over the same namespace were "similar"  enough to reuse
credentials.  Sloppy clients could make a much safer bet and reuse
credentials for the same realm, same namespace case, effectively ignoring
the proposed message.  I experimented with this a few years ago with
Mosaic and Netscape (v <= 2.0) and I recall that they both stacked up
realms and would send as many authorization responses as realms
authorized. 

The implementation costs on the server side would be only slightly more
expensive than keeping enough state to know when to send a
REAUTHENTICATION REQUIRED message.

-marc
Received on Tuesday, 25 November 1997 08:08:31 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT