W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: REAUTHENTICATION REQUIRED

From: Scott Lawrence <lawrence@agranat.com>
Date: Tue, 25 Nov 1997 13:51:13 -0500
Message-Id: <199711251851.NAA19898@devnix.agranat.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>>>>> "RP" == Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com> writes:

RP> "Scott Lawrence" <lawrence@agranat.com> writes:

>> As I wrote the proposal, 'discard' can't be combined with other uses
>> of the Authentication-Info header, such as nextnonce; this may have
>> been a mistake.

RP> Just to be clear: You're proposing that a client receiving an
RP> "Authentication-Info: Discard" header in a response should discard the
RP> credentials it supplied on the Authorization header in the request,
RP> correct?  Given everything Fote has been saying about the domain of
RP> credentials over URLs, not to mention realm values, it's entirely
RP> possible for a browser to have a large cache of presumably-valid
RP> credentials.  I don't think you're asking to have them all discarded, or
RP> even some subset of those associated with the origin server, correct?

  Yes, correct.  My intent was that the credentials used for the
  request be discarded - regardless of what other protection spaces
  they may have also applied to.  Credentials not used for the request
  are not affected.

  Example:

    get /foo       ------------------>
                   <----------------- 401 Unauthorized
                                      WWW-Authenticate: realm="bar"
    (prompt user)
    get /foo       ------------------>
    Authorization: xxxxx
                   <----------------- 200 Ok
                                      ...
    get /foo/bogus  ------------------>
    Authorization: xxxxx
                   <----------------- 200 Ok
                                      ...
    post /foo/bar  ------------------>
    Authorization: xxxxx
                   <----------------- 200 Ok
                                      Authentication-Info: discard
    (discard credentials use to build xxxxx)

  At this point, if the user enters the URL for /foo/bogus, the user
  agent may 'remember' that it needs to prompt for credentials in
  realm 'bar' or it may just send a request and (presumably) get a 401
  as usual.  The fact that 'discard' came in response to a request for
  /foo/bar does not restrict the loss of credentials to that resource
  - the credentials go away and must not be reused.

  If people don't think that was clear, I invite improved wording.

RP> One more point: Since Authentication-Info is defined by RFC 2069 as
RP> being sent when authentication is successful, this discard response must
RP> be sent with a 2xx or 3xx status code and without a WWW-Authenticate
RP> header.  In other words, an origin server is only allowed to request the
RP> client to discard credentials at a time when they are acceptable to the
RP> server.

  I had not made that specific, but I see no problem with it.

RP> And I assume we'd want to support "Proxy-Authentication-Info: Discard"
RP> as well.

  I will leave that to those who believe that they understand proxy
  authentication...

RP> I have to say that this is all starting to sound like something we
RP> aren't allowed to do while trying to move HTTP/1.1 from Proposed to
RP> Draft Standard.  As much as the lack of a procedure for invalidating a
RP> client's credentials has hurt my company's products (quite a bit!)...

  It is clear that this capability, if it existed, would be a big help
  to application developers.  I believe that a good case can be made
  that its absense decreases the security of many applications, and so
  I would argue that it is a bug in the protocol - bugs may be fixed
  at this stage.  I also believe (as I said in the earlier note) that
  it does not present a backward compatibility problem (web
  applications using old browsers will be bug-for-bug compatible with
  the old protocol :-).

RP> ... we
RP> would nonetheless be opposed to any change that would prevent the rapid
RP> advancement of HTTP/1.1 to Draft Standard.

  I could not agree more.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Tuesday, 25 November 1997 11:07:17 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT