- From: Marc Salomon <mes@slip.net>
- Date: Tue, 25 Nov 1997 08:05:09 -0800 (PST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Recycling existing authentication techniques, a server can change the realm under which a namespace is protected over time while authenticating against the same credentials. After the server timed out authorization, it could challenge a client against a different realm over the same PATH_INFO namespace (the realm perhaps corresponding to $domain.$timestamp) and force verifiable reauthentication. Only the most reckless clients would try to guess that a set of distinct realms over the same namespace were "similar" enough to reuse credentials. Sloppy clients could make a much safer bet and reuse credentials for the same realm, same namespace case, effectively ignoring the proposed message. I experimented with this a few years ago with Mosaic and Netscape (v <= 2.0) and I recall that they both stacked up realms and would send as many authorization responses as realms authorized. The implementation costs on the server side would be only slightly more expensive than keeping enough state to know when to send a REAUTHENTICATION REQUIRED message. -marc
Received on Tuesday, 25 November 1997 08:08:31 UTC