Recycling existing authentication techniques, a server can change the realm under which a namespace is protected over time while authenticating against the same credentials. After the server timed out authorization, it could challenge a client against a different realm over the same PATH_INFO namespace (the realm perhaps corresponding to $domain.$timestamp) and force verifiable reauthentication. Only the most reckless clients would try to guess that a set of distinct realms over the same namespace were "similar" enough to reuse credentials. Sloppy clients could make a much safer bet and reuse credentials for the same realm, same namespace case, effectively ignoring the proposed message. I experimented with this a few years ago with Mosaic and Netscape (v <= 2.0) and I recall that they both stacked up realms and would send as many authorization responses as realms authorized. The implementation costs on the server side would be only slightly more expensive than keeping enough state to know when to send a REAUTHENTICATION REQUIRED message. -marcReceived on Tuesday, 25 November 1997 08:08:31 EST
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT