W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: REAUTHENTICATION REQUIRED

From: Scott Lawrence <lawrence@agranat.com>
Date: Tue, 25 Nov 1997 12:17:16 -0500
Message-Id: <199711251717.MAA19701@devnix.agranat.com>
To: Maurizio Codogno <mau@beatles.cselt.it>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>>>>> "MC" == Maurizio Codogno <mau@beatles.cselt.it> writes:

MC> As some pointed out, often it is the client, not the server, which
MC> would like to forget the auth info (but this does not belong to HTTP);
MC> moreover the server cannot be sure that the client forgets the infos.

  The proposal is to provide a mechanism whereby the server can direct
  the client to discard the user credentials.

  Clients should also have other mechanisms for doing the same things
  - for example, there should always be some way for the user to
  direct a browser to delete any stored credentials (so the user can
  leave a shared system without leaving credentials for the next
  user).

MC> This all said, shouldn't the server send a cookie (oops, wrong term :-))
MC> which the client should send back together with the usual Authentication:
MC> data?

  As I wrote the proposal, 'discard' can't be combined with other uses
  of the Authentication-Info header, such as nextnonce; this may have
  been a mistake.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Tuesday, 25 November 1997 09:21:04 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT