W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Reauthentication Requested Revisited

From: Scott Lawrence <lawrence@agranat.com>
Date: Mon, 02 Feb 1998 21:52:20 -0500
Message-Id: <199802030252.VAA14965@devnix.agranat.com>
To: http-wg@cuckoo.hpl.hp.com

>>>>> "JC" == Josh Cohen <joshco@MICROSOFT.com> writes:

JC> 1) the server needs a way to send a message to the client saying
JC>   please revalidate your credentials with the user

  I know that I sound like a broken record here, but the minimal
  requirement is to instruct the user agent to discard the current
  credentials - whether or not it should then obtain new ones depends
  on whether or not it has another request to send that requires
  them, which might be immediatly or next month.

  A 'Logout' function does not require that new credentials be
  obtained - in fact, doing so would defeat the very purpose of
  discarding the current set.

  A 'Revalidate' function can be accomplished by instructing the user
  agent to discard current credentials in any redirection or
  authentication-required response.

JC> 2) the server needs a way to detect that the client has
JC>    or is at least claiming to knowingly complete the task
JC> ... (else how would you know if the client actually revalidated?)

  But the assurance means nothing; in neither case can the server know
  anything about what the user agent did.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Monday, 2 February 1998 18:58:36 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT